@contrast/assess 1.11.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/lib/dataflow/index.js +0 -1
  2. package/lib/dataflow/propagation/install/JSON/parse.js +2 -4
  3. package/lib/dataflow/propagation/install/JSON/stringify.js +2 -1
  4. package/lib/dataflow/propagation/install/array-prototype-join.js +2 -1
  5. package/lib/dataflow/propagation/install/buffer.js +2 -4
  6. package/lib/dataflow/propagation/install/contrast-methods/add.js +2 -1
  7. package/lib/dataflow/propagation/install/contrast-methods/string.js +2 -4
  8. package/lib/dataflow/propagation/install/contrast-methods/tag.js +2 -4
  9. package/lib/dataflow/propagation/install/decode-uri-component.js +2 -1
  10. package/lib/dataflow/propagation/install/ejs/escape-xml.js +2 -1
  11. package/lib/dataflow/propagation/install/encode-uri-component.js +2 -1
  12. package/lib/dataflow/propagation/install/escape-html.js +2 -1
  13. package/lib/dataflow/propagation/install/escape.js +2 -1
  14. package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +2 -1
  15. package/lib/dataflow/propagation/install/mongoose/schema-map.js +1 -1
  16. package/lib/dataflow/propagation/install/mongoose/schema-mixed.js +1 -1
  17. package/lib/dataflow/propagation/install/mongoose/schema-string.js +2 -4
  18. package/lib/dataflow/propagation/install/mysql-connection-escape.js +2 -1
  19. package/lib/dataflow/propagation/install/path/basename.js +2 -4
  20. package/lib/dataflow/propagation/install/path/join-and-resolve.js +2 -4
  21. package/lib/dataflow/propagation/install/path/normalize.js +2 -4
  22. package/lib/dataflow/propagation/install/pug-runtime-escape.js +2 -1
  23. package/lib/dataflow/propagation/install/querystring/parse.js +2 -1
  24. package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +2 -4
  25. package/lib/dataflow/propagation/install/sequelize.js +2 -4
  26. package/lib/dataflow/propagation/install/sql-template-strings.js +2 -1
  27. package/lib/dataflow/propagation/install/string/concat.js +2 -1
  28. package/lib/dataflow/propagation/install/string/format-methods.js +2 -1
  29. package/lib/dataflow/propagation/install/string/html-methods.js +2 -1
  30. package/lib/dataflow/propagation/install/string/index.js +2 -1
  31. package/lib/dataflow/propagation/install/string/match-all.js +1 -1
  32. package/lib/dataflow/propagation/install/string/match.js +1 -1
  33. package/lib/dataflow/propagation/install/string/replace.js +2 -1
  34. package/lib/dataflow/propagation/install/string/slice.js +2 -1
  35. package/lib/dataflow/propagation/install/string/split.js +2 -1
  36. package/lib/dataflow/propagation/install/string/substring.js +2 -1
  37. package/lib/dataflow/propagation/install/string/trim.js +2 -1
  38. package/lib/dataflow/propagation/install/unescape.js +2 -1
  39. package/lib/dataflow/propagation/install/url/domain-parsers.js +2 -1
  40. package/lib/dataflow/propagation/install/url/parse.js +3 -2
  41. package/lib/dataflow/propagation/install/url/searchParams.js +17 -10
  42. package/lib/dataflow/propagation/install/url/url.js +2 -1
  43. package/lib/dataflow/propagation/install/validator/hooks.js +2 -1
  44. package/lib/dataflow/sinks/install/child-process.js +1 -1
  45. package/lib/dataflow/sinks/install/eval.js +1 -1
  46. package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +2 -2
  47. package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +1 -1
  48. package/lib/dataflow/sinks/install/fs.js +1 -1
  49. package/lib/dataflow/sinks/install/function.js +1 -1
  50. package/lib/dataflow/sinks/install/http/request.js +1 -1
  51. package/lib/dataflow/sinks/install/http/server-response.js +1 -1
  52. package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +1 -1
  53. package/lib/dataflow/sinks/install/marsdb.js +1 -1
  54. package/lib/dataflow/sinks/install/mongodb.js +2 -2
  55. package/lib/dataflow/sinks/install/mssql.js +1 -1
  56. package/lib/dataflow/sinks/install/mysql.js +2 -2
  57. package/lib/dataflow/sinks/install/postgres.js +1 -1
  58. package/lib/dataflow/sinks/install/sequelize.js +1 -1
  59. package/lib/dataflow/sinks/install/sqlite3.js +1 -1
  60. package/lib/dataflow/sinks/install/vm.js +1 -1
  61. package/lib/dataflow/sources/handler.js +2 -2
  62. package/lib/dataflow/sources/install/http.js +1 -1
  63. package/lib/dataflow/tracker.js +1 -5
  64. package/lib/{dataflow/event-factory.js → event-factory.js} +57 -1
  65. package/lib/index.js +3 -1
  66. package/lib/session-configuration/common.js +19 -0
  67. package/lib/session-configuration/handlers.js +86 -0
  68. package/lib/session-configuration/index.js +5 -8
  69. package/lib/session-configuration/install/express-session.js +131 -0
  70. package/package.json +2 -2
  71. package/lib/session-configuration/install/http.js +0 -79
package/lib/dataflow/index.js CHANGED
@@ -20,7 +20,6 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
20
20
  module.exports = function(core) {
21
21
  const dataflow = core.assess.dataflow = {};
22
22
 
23
- require('./event-factory')(core);
24
23
  require('./tracker')(core);
25
24
  require('./sources')(core);
26
25
  require('./propagation')(core);
package/lib/dataflow/propagation/install/JSON/parse.js CHANGED
@@ -52,10 +52,8 @@ module.exports = function (core) {
52
52
  scopes: { sources, instrumentation },
53
53
  patcher,
54
54
  assess: {
55
- dataflow: {
56
- tracker,
57
- eventFactory: { createPropagationEvent },
58
- },
55
+ eventFactory: { createPropagationEvent },
56
+ dataflow: { tracker },
59
57
  },
60
58
  } = core;
61
59
 
package/lib/dataflow/propagation/install/JSON/stringify.js CHANGED
@@ -76,7 +76,8 @@ module.exports = function(core) {
76
76
  scopes: { sources, instrumentation },
77
77
  patcher,
78
78
  assess: {
79
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
79
+ eventFactory: { createPropagationEvent },
80
+ dataflow: { tracker }
80
81
  }
81
82
  } = core;
82
83
 
package/lib/dataflow/propagation/install/array-prototype-join.js CHANGED
@@ -26,7 +26,8 @@ module.exports = function(core) {
26
26
  scopes: { sources, instrumentation },
27
27
  patcher,
28
28
  assess: {
29
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
29
+ eventFactory: { createPropagationEvent },
30
+ dataflow: { tracker }
30
31
  }
31
32
  } = core;
32
33
 
package/lib/dataflow/propagation/install/buffer.js CHANGED
@@ -19,10 +19,8 @@ const { patchType } = require('../common');
19
19
  module.exports = function(core) {
20
20
  const {
21
21
  assess: {
22
- dataflow: {
23
- eventFactory,
24
- tracker
25
- }
22
+ eventFactory,
23
+ dataflow: { tracker }
26
24
  },
27
25
  patcher,
28
26
  } = core;
package/lib/dataflow/propagation/install/contrast-methods/add.js CHANGED
@@ -26,7 +26,8 @@ module.exports = function(core) {
26
26
  scopes: { instrumentation, sources },
27
27
  patcher,
28
28
  assess: {
29
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
29
+ eventFactory: { createPropagationEvent },
30
+ dataflow: { tracker }
30
31
  }
31
32
  } = core;
32
33
 
package/lib/dataflow/propagation/install/contrast-methods/string.js CHANGED
@@ -32,10 +32,8 @@ module.exports = function(core) {
32
32
  scopes: { sources, instrumentation },
33
33
  patcher,
34
34
  assess: {
35
- dataflow: {
36
- tracker,
37
- eventFactory: { createPropagationEvent },
38
- },
35
+ eventFactory: { createPropagationEvent },
36
+ dataflow: { tracker },
39
37
  }
40
38
  } = core;
41
39
 
package/lib/dataflow/propagation/install/contrast-methods/tag.js CHANGED
@@ -20,10 +20,8 @@ const { patchType } = require('../../common');
20
20
  module.exports = function(core) {
21
21
  const {
22
22
  assess: {
23
- dataflow: {
24
- tracker,
25
- eventFactory: { createPropagationEvent },
26
- },
23
+ eventFactory: { createPropagationEvent },
24
+ dataflow: { tracker },
27
25
  },
28
26
  patcher,
29
27
  scopes: { sources, instrumentation },
package/lib/dataflow/propagation/install/decode-uri-component.js CHANGED
@@ -28,7 +28,8 @@ module.exports = function(core) {
28
28
  scopes: { sources, instrumentation },
29
29
  patcher,
30
30
  assess: {
31
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker }
32
33
  }
33
34
  } = core;
34
35
 
package/lib/dataflow/propagation/install/ejs/escape-xml.js CHANGED
@@ -29,7 +29,8 @@ module.exports = function(core) {
29
29
  patcher,
30
30
  depHooks,
31
31
  assess: {
32
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
32
+ eventFactory: { createPropagationEvent },
33
+ dataflow: { tracker }
33
34
  }
34
35
  } = core;
35
36
 
package/lib/dataflow/propagation/install/encode-uri-component.js CHANGED
@@ -28,7 +28,8 @@ module.exports = function(core) {
28
28
  scopes: { sources, instrumentation },
29
29
  patcher,
30
30
  assess: {
31
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker }
32
33
  }
33
34
  } = core;
34
35
 
package/lib/dataflow/propagation/install/escape-html.js CHANGED
@@ -29,7 +29,8 @@ module.exports = function(core) {
29
29
  patcher,
30
30
  depHooks,
31
31
  assess: {
32
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
32
+ eventFactory: { createPropagationEvent },
33
+ dataflow: { tracker }
33
34
  }
34
35
  } = core;
35
36
 
package/lib/dataflow/propagation/install/escape.js CHANGED
@@ -28,7 +28,8 @@ module.exports = function(core) {
28
28
  scopes: { sources, instrumentation },
29
29
  patcher,
30
30
  assess: {
31
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker }
32
33
  }
33
34
  } = core;
34
35
 
package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js CHANGED
@@ -29,7 +29,8 @@ module.exports = function(core) {
29
29
  patcher,
30
30
  depHooks,
31
31
  assess: {
32
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
32
+ eventFactory: { createPropagationEvent },
33
+ dataflow: { tracker }
33
34
  }
34
35
  } = core;
35
36
 
package/lib/dataflow/propagation/install/mongoose/schema-map.js CHANGED
@@ -24,9 +24,9 @@ module.exports = function (core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
+ eventFactory: { createPropagationEvent },
27
28
  dataflow: {
28
29
  tracker,
29
- eventFactory: { createPropagationEvent },
30
30
  propagation: { mongooseInstrumentation },
31
31
  },
32
32
  },
package/lib/dataflow/propagation/install/mongoose/schema-mixed.js CHANGED
@@ -24,9 +24,9 @@ module.exports = function (core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
+ eventFactory: { createPropagationEvent },
27
28
  dataflow: {
28
29
  tracker,
29
- eventFactory: { createPropagationEvent },
30
30
  propagation: { mongooseInstrumentation },
31
31
  },
32
32
  },
package/lib/dataflow/propagation/install/mongoose/schema-string.js CHANGED
@@ -28,10 +28,8 @@ module.exports = function (core) {
28
28
  patcher,
29
29
  depHooks,
30
30
  assess: {
31
- dataflow: {
32
- tracker,
33
- eventFactory: { createPropagationEvent },
34
- },
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker },
35
33
  },
36
34
  } = core;
37
35
 
package/lib/dataflow/propagation/install/mysql-connection-escape.js CHANGED
@@ -29,7 +29,8 @@ module.exports = function(core) {
29
29
  patcher,
30
30
  depHooks,
31
31
  assess: {
32
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
32
+ eventFactory: { createPropagationEvent },
33
+ dataflow: { tracker }
33
34
  }
34
35
  } = core;
35
36
 
package/lib/dataflow/propagation/install/path/basename.js CHANGED
@@ -27,10 +27,8 @@ module.exports = function(core) {
27
27
  patcher,
28
28
  scopes: { sources, instrumentation },
29
29
  assess: {
30
- dataflow: {
31
- tracker,
32
- eventFactory: { createPropagationEvent },
33
- },
30
+ eventFactory: { createPropagationEvent },
31
+ dataflow: { tracker },
34
32
  },
35
33
  } = core;
36
34
 
package/lib/dataflow/propagation/install/path/join-and-resolve.js CHANGED
@@ -28,10 +28,8 @@ module.exports = function(core) {
28
28
  patcher,
29
29
  scopes: { sources, instrumentation },
30
30
  assess: {
31
- dataflow: {
32
- tracker,
33
- eventFactory: { createPropagationEvent },
34
- },
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker },
35
33
  },
36
34
  } = core;
37
35
 
package/lib/dataflow/propagation/install/path/normalize.js CHANGED
@@ -27,10 +27,8 @@ module.exports = function(core) {
27
27
  patcher,
28
28
  scopes: { sources, instrumentation },
29
29
  assess: {
30
- dataflow: {
31
- tracker,
32
- eventFactory: { createPropagationEvent },
33
- },
30
+ eventFactory: { createPropagationEvent },
31
+ dataflow: { tracker },
34
32
  },
35
33
  } = core;
36
34
 
package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED
@@ -29,7 +29,8 @@ module.exports = function(core) {
29
29
  patcher,
30
30
  depHooks,
31
31
  assess: {
32
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
32
+ eventFactory: { createPropagationEvent },
33
+ dataflow: { tracker }
33
34
  }
34
35
  } = core;
35
36
 
package/lib/dataflow/propagation/install/querystring/parse.js CHANGED
@@ -31,7 +31,8 @@ module.exports = function(core) {
31
31
  patcher,
32
32
  depHooks,
33
33
  assess: {
34
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
34
+ eventFactory: { createPropagationEvent },
35
+ dataflow: { tracker }
35
36
  }
36
37
  } = core;
37
38
 
package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED
@@ -23,10 +23,8 @@ module.exports = function(core) {
23
23
  scopes: { sources, instrumentation },
24
24
  patcher,
25
25
  assess: {
26
- dataflow: {
27
- tracker,
28
- eventFactory: { createPropagationEvent },
29
- },
26
+ eventFactory: { createPropagationEvent },
27
+ dataflow: { tracker },
30
28
  },
31
29
  } = core;
32
30
 
package/lib/dataflow/propagation/install/sequelize.js CHANGED
@@ -27,10 +27,8 @@ module.exports = function(core) {
27
27
  patcher,
28
28
  depHooks,
29
29
  assess: {
30
- dataflow: {
31
- tracker,
32
- eventFactory: { createPropagationEvent },
33
- },
30
+ eventFactory: { createPropagationEvent },
31
+ dataflow: { tracker },
34
32
  },
35
33
  } = core;
36
34
 
package/lib/dataflow/propagation/install/sql-template-strings.js CHANGED
@@ -26,7 +26,8 @@ module.exports = function(core) {
26
26
  patcher,
27
27
  depHooks,
28
28
  assess: {
29
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
29
+ eventFactory: { createPropagationEvent },
30
+ dataflow: { tracker }
30
31
  }
31
32
  } = core;
32
33
 
package/lib/dataflow/propagation/install/string/concat.js CHANGED
@@ -26,7 +26,8 @@ module.exports = function(core) {
26
26
  scopes: { sources, instrumentation },
27
27
  patcher,
28
28
  assess: {
29
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
29
+ eventFactory: { createPropagationEvent },
30
+ dataflow: { tracker }
30
31
  }
31
32
  } = core;
32
33
 
package/lib/dataflow/propagation/install/string/format-methods.js CHANGED
@@ -22,7 +22,8 @@ module.exports = function(core) {
22
22
  scopes: { sources, instrumentation },
23
23
  patcher,
24
24
  assess: {
25
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
25
+ eventFactory: { createPropagationEvent },
26
+ dataflow: { tracker }
26
27
  }
27
28
  } = core;
28
29
 
package/lib/dataflow/propagation/install/string/html-methods.js CHANGED
@@ -36,7 +36,8 @@ module.exports = function(core) {
36
36
  scopes: { sources, instrumentation },
37
37
  patcher,
38
38
  assess: {
39
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
39
+ eventFactory: { createPropagationEvent },
40
+ dataflow: { tracker }
40
41
  }
41
42
  } = core;
42
43
  function adjustTags(method, objTags, argLength, argTags = null) {
package/lib/dataflow/propagation/install/string/index.js CHANGED
@@ -23,7 +23,8 @@ module.exports = function(core) {
23
23
  scopes: { sources, instrumentation },
24
24
  patcher,
25
25
  assess: {
26
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
26
+ eventFactory: { createPropagationEvent },
27
+ dataflow: { tracker }
27
28
  }
28
29
  } = core;
29
30
  const stringInstrumentation = core.assess.dataflow.propagation.stringInstrumentation = {
package/lib/dataflow/propagation/install/string/match-all.js CHANGED
@@ -23,9 +23,9 @@ module.exports = function(core) {
23
23
  scopes: { sources, instrumentation },
24
24
  patcher,
25
25
  assess: {
26
+ eventFactory: { createPropagationEvent },
26
27
  dataflow: {
27
28
  tracker,
28
- eventFactory: { createPropagationEvent },
29
29
  propagation: { stringInstrumentation },
30
30
  },
31
31
  },
package/lib/dataflow/propagation/install/string/match.js CHANGED
@@ -23,9 +23,9 @@ module.exports = function(core) {
23
23
  scopes: { sources, instrumentation },
24
24
  patcher,
25
25
  assess: {
26
+ eventFactory: { createPropagationEvent },
26
27
  dataflow: {
27
28
  tracker,
28
- eventFactory: { createPropagationEvent },
29
29
  propagation: { stringInstrumentation },
30
30
  },
31
31
  },
package/lib/dataflow/propagation/install/string/replace.js CHANGED
@@ -28,7 +28,8 @@ module.exports = function(core) {
28
28
  const {
29
29
  patcher,
30
30
  assess: {
31
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker }
32
33
  },
33
34
  scopes: { sources, instrumentation }
34
35
  } = core;
package/lib/dataflow/propagation/install/string/slice.js CHANGED
@@ -22,7 +22,8 @@ module.exports = function(core) {
22
22
  scopes: { sources, instrumentation },
23
23
  patcher,
24
24
  assess: {
25
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
25
+ eventFactory: { createPropagationEvent },
26
+ dataflow: { tracker }
26
27
  }
27
28
  } = core;
28
29
 
package/lib/dataflow/propagation/install/string/split.js CHANGED
@@ -25,7 +25,8 @@ module.exports = function(core) {
25
25
  scopes: { sources, instrumentation },
26
26
  patcher,
27
27
  assess: {
28
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
28
+ eventFactory: { createPropagationEvent },
29
+ dataflow: { tracker }
29
30
  }
30
31
  } = core;
31
32
 
package/lib/dataflow/propagation/install/string/substring.js CHANGED
@@ -24,7 +24,8 @@ module.exports = function(core) {
24
24
  scopes: { sources, instrumentation },
25
25
  patcher,
26
26
  assess: {
27
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
27
+ eventFactory: { createPropagationEvent },
28
+ dataflow: { tracker }
28
29
  }
29
30
  } = core;
30
31
 
package/lib/dataflow/propagation/install/string/trim.js CHANGED
@@ -25,7 +25,8 @@ module.exports = function(core) {
25
25
  scopes: { sources, instrumentation },
26
26
  patcher,
27
27
  assess: {
28
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
28
+ eventFactory: { createPropagationEvent },
29
+ dataflow: { tracker }
29
30
  }
30
31
  } = core;
31
32
 
package/lib/dataflow/propagation/install/unescape.js CHANGED
@@ -28,7 +28,8 @@ module.exports = function(core) {
28
28
  scopes: { sources, instrumentation },
29
29
  patcher,
30
30
  assess: {
31
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
31
+ eventFactory: { createPropagationEvent },
32
+ dataflow: { tracker }
32
33
  }
33
34
  } = core;
34
35
 
package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED
@@ -26,7 +26,8 @@ module.exports = function(core) {
26
26
  patcher,
27
27
  depHooks,
28
28
  assess: {
29
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
29
+ eventFactory: { createPropagationEvent },
30
+ dataflow: { tracker }
30
31
  }
31
32
  } = core;
32
33
 
package/lib/dataflow/propagation/install/url/parse.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /*
2
- * Copyright: 2022 Contrast Security, Inc
2
+ * Copyright: 2023 Contrast Security, Inc
3
3
  * Contact: support@contrastsecurity.com
4
4
  * License: Commercial
5
5
 
@@ -24,7 +24,8 @@ module.exports = function(core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
27
+ eventFactory: { createPropagationEvent },
28
+ dataflow: { tracker }
28
29
  }
29
30
  } = core;
30
31
 
package/lib/dataflow/propagation/install/url/searchParams.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /*
2
- * Copyright: 2022 Contrast Security, Inc
2
+ * Copyright: 2023 Contrast Security, Inc
3
3
  * Contact: support@contrastsecurity.com
4
4
  * License: Commercial
5
5
 
@@ -24,7 +24,8 @@ module.exports = function(core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
27
+ eventFactory: { createPropagationEvent },
28
+ dataflow: { tracker }
28
29
  }
29
30
  } = core;
30
31
 
@@ -75,18 +76,24 @@ module.exports = function(core) {
75
76
  const endIdx = query.indexOf('=');
76
77
  const key = query.substring(startIdx, endIdx);
77
78
  const param = query.substring(endIdx + 1, query.length);
78
- const paramInfo = tracker.getData(param);
79
- if (!paramInfo) return;
80
79
 
81
- const event = getPropagationEvent(params, paramInfo, data);
82
- if (!event);
80
+ const keyInfo = tracker.getData(key);
81
+ const paramInfo = tracker.getData(param);
83
82
 
84
- Object.assign(paramInfo, event);
85
- const { extern } = paramInfo || tracker.track(param, event);
83
+ if (keyInfo) {
84
+ const event = getPropagationEvent(params, keyInfo, data);
85
+ if (event) Object.assign(keyInfo, event);
86
+ }
86
87
 
87
- if (extern) {
88
- result.set(key, extern);
88
+ if (paramInfo) {
89
+ const event = getPropagationEvent(params, paramInfo, data);
90
+ if (event) Object.assign(paramInfo, event);
89
91
  }
92
+
93
+ const trackedKey = keyInfo?.extern;
94
+ const trackedParam = paramInfo?.extern;
95
+ if (trackedKey) result.delete(key);
96
+ result.set(trackedKey || key, trackedParam || param);
90
97
  });
91
98
  }
92
99
 
package/lib/dataflow/propagation/install/url/url.js CHANGED
@@ -24,7 +24,8 @@ module.exports = function(core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
27
+ eventFactory: { createPropagationEvent },
28
+ dataflow: { tracker }
28
29
  }
29
30
  } = core;
30
31
 
package/lib/dataflow/propagation/install/validator/hooks.js CHANGED
@@ -23,7 +23,8 @@ module.exports = function(core) {
23
23
  depHooks,
24
24
  patcher,
25
25
  assess: {
26
- dataflow: { tracker, eventFactory: { createPropagationEvent } }
26
+ eventFactory: { createPropagationEvent },
27
+ dataflow: { tracker }
27
28
  }
28
29
  } = core;
29
30
 
package/lib/dataflow/sinks/install/child-process.js CHANGED
@@ -30,10 +30,10 @@ module.exports = function(core) {
30
30
  patcher,
31
31
  scopes: { sources },
32
32
  assess: {
33
+ eventFactory: { createSinkEvent },
33
34
  dataflow: {
34
35
  tracker,
35
36
  sinks: { isVulnerable, reportFindings },
36
- eventFactory: { createSinkEvent },
37
37
  },
38
38
  },
39
39
  } = core;
package/lib/dataflow/sinks/install/eval.js CHANGED
@@ -44,10 +44,10 @@ module.exports = function(core) {
44
44
  patcher,
45
45
  scopes: { sources, instrumentation },
46
46
  assess: {
47
+ eventFactory: { createSinkEvent },
47
48
  dataflow: {
48
49
  tracker,
49
50
  sinks: { isVulnerable, reportFindings, reportSafePositive },
50
- eventFactory: { createSinkEvent },
51
51
  },
52
52
  },
53
53
  } = core;
package/lib/dataflow/sinks/install/express/unvalidated-redirect.js CHANGED
@@ -39,10 +39,10 @@ module.exports = function(core) {
39
39
  config,
40
40
  scopes: { sources },
41
41
  assess: {
42
+ eventFactory: { createSinkEvent },
42
43
  dataflow: {
43
44
  tracker,
44
- sinks: { isVulnerable, reportFindings, reportSafePositive },
45
- eventFactory: { createSinkEvent },
45
+ sinks: { isVulnerable, reportFindings, reportSafePositive }
46
46
  },
47
47
  },
48
48
  } = core;
package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED
@@ -58,10 +58,10 @@ module.exports = function(core) {
58
58
  patcher,
59
59
  scopes: { sources },
60
60
  assess: {
61
+ eventFactory: { createSinkEvent },
61
62
  dataflow: {
62
63
  tracker,
63
64
  sinks: { isVulnerable, reportFindings, reportSafePositive },
64
- eventFactory: { createSinkEvent },
65
65
  },
66
66
  },
67
67
  } = core;
package/lib/dataflow/sinks/install/fs.js CHANGED
@@ -36,10 +36,10 @@ module.exports = function(core) {
36
36
  patcher,
37
37
  scopes: { sources },
38
38
  assess: {
39
+ eventFactory: { createSinkEvent },
39
40
  dataflow: {
40
41
  tracker,
41
42
  sinks: { isVulnerable, reportFindings },
42
- eventFactory: { createSinkEvent },
43
43
  },
44
44
  },
45
45
  } = core;
package/lib/dataflow/sinks/install/function.js CHANGED
@@ -46,10 +46,10 @@ module.exports = function(core) {
46
46
  patcher,
47
47
  scopes: { sources, instrumentation },
48
48
  assess: {
49
+ eventFactory: { createSinkEvent },
49
50
  dataflow: {
50
51
  tracker,
51
52
  sinks: { isVulnerable, reportFindings, reportSafePositive },
52
- eventFactory: { createSinkEvent },
53
53
  },
54
54
  },
55
55
  } = core;
package/lib/dataflow/sinks/install/http/request.js CHANGED
@@ -38,13 +38,13 @@ module.exports = function(core) {
38
38
  patcher,
39
39
  scopes: { sources },
40
40
  assess: {
41
+ eventFactory: { createSinkEvent },
41
42
  dataflow: {
42
43
  tracker,
43
44
  sinks: {
44
45
  isVulnerable,
45
46
  reportFindings
46
47
  },
47
- eventFactory: { createSinkEvent },
48
48
  },
49
49
  },
50
50
  } = core;