@contrast/assess 1.11.0 → 1.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +12 -0
- package/lib/dataflow/index.js +0 -1
- package/lib/dataflow/propagation/index.js +2 -0
- package/lib/dataflow/propagation/install/JSON/parse.js +2 -4
- package/lib/dataflow/propagation/install/JSON/stringify.js +2 -1
- package/lib/dataflow/propagation/install/array-prototype-join.js +2 -1
- package/lib/dataflow/propagation/install/buffer.js +2 -4
- package/lib/dataflow/propagation/install/contrast-methods/add.js +2 -1
- package/lib/dataflow/propagation/install/contrast-methods/string.js +2 -4
- package/lib/dataflow/propagation/install/contrast-methods/tag.js +2 -4
- package/lib/dataflow/propagation/install/decode-uri-component.js +2 -1
- package/lib/dataflow/propagation/install/ejs/escape-xml.js +2 -1
- package/lib/dataflow/propagation/install/encode-uri-component.js +2 -1
- package/lib/dataflow/propagation/install/escape-html.js +2 -1
- package/lib/dataflow/propagation/install/escape.js +2 -1
- package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +2 -1
- package/lib/dataflow/propagation/install/joi/index.js +35 -0
- package/lib/dataflow/propagation/install/joi/keys.js +140 -0
- package/lib/dataflow/propagation/install/joi/string-schema.js +269 -0
- package/lib/dataflow/propagation/install/joi/values.js +141 -0
- package/lib/dataflow/propagation/install/mongoose/schema-map.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/schema-mixed.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/schema-string.js +2 -4
- package/lib/dataflow/propagation/install/mysql-connection-escape.js +2 -1
- package/lib/dataflow/propagation/install/path/basename.js +2 -4
- package/lib/dataflow/propagation/install/path/join-and-resolve.js +2 -4
- package/lib/dataflow/propagation/install/path/normalize.js +2 -4
- package/lib/dataflow/propagation/install/pug/index.js +2 -2
- package/lib/dataflow/propagation/install/pug-runtime-escape.js +2 -1
- package/lib/dataflow/propagation/install/querystring/parse.js +2 -1
- package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +2 -4
- package/lib/dataflow/propagation/install/send.js +60 -0
- package/lib/dataflow/propagation/install/sequelize.js +6 -8
- package/lib/dataflow/propagation/install/sql-template-strings.js +2 -1
- package/lib/dataflow/propagation/install/string/concat.js +2 -1
- package/lib/dataflow/propagation/install/string/format-methods.js +2 -1
- package/lib/dataflow/propagation/install/string/html-methods.js +2 -1
- package/lib/dataflow/propagation/install/string/index.js +2 -1
- package/lib/dataflow/propagation/install/string/match-all.js +1 -1
- package/lib/dataflow/propagation/install/string/match.js +1 -1
- package/lib/dataflow/propagation/install/string/replace.js +2 -1
- package/lib/dataflow/propagation/install/string/slice.js +2 -1
- package/lib/dataflow/propagation/install/string/split.js +2 -1
- package/lib/dataflow/propagation/install/string/substring.js +2 -1
- package/lib/dataflow/propagation/install/string/trim.js +2 -1
- package/lib/dataflow/propagation/install/unescape.js +2 -1
- package/lib/dataflow/propagation/install/url/domain-parsers.js +2 -1
- package/lib/dataflow/propagation/install/url/parse.js +3 -2
- package/lib/dataflow/propagation/install/url/searchParams.js +17 -10
- package/lib/dataflow/propagation/install/url/url.js +2 -1
- package/lib/dataflow/propagation/install/validator/hooks.js +2 -1
- package/lib/dataflow/sinks/install/child-process.js +1 -1
- package/lib/dataflow/sinks/install/eval.js +1 -1
- package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +2 -2
- package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +1 -1
- package/lib/dataflow/sinks/install/fs.js +3 -3
- package/lib/dataflow/sinks/install/function.js +1 -1
- package/lib/dataflow/sinks/install/http/request.js +1 -1
- package/lib/dataflow/sinks/install/http/server-response.js +1 -1
- package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +1 -1
- package/lib/dataflow/sinks/install/marsdb.js +1 -1
- package/lib/dataflow/sinks/install/mongodb.js +2 -2
- package/lib/dataflow/sinks/install/mssql.js +1 -1
- package/lib/dataflow/sinks/install/mysql.js +2 -2
- package/lib/dataflow/sinks/install/postgres.js +1 -1
- package/lib/dataflow/sinks/install/sequelize.js +1 -1
- package/lib/dataflow/sinks/install/sqlite3.js +1 -1
- package/lib/dataflow/sinks/install/vm.js +1 -1
- package/lib/dataflow/sources/handler.js +2 -2
- package/lib/dataflow/sources/install/body-parser1.js +2 -2
- package/lib/dataflow/sources/install/fastify/fastify.js +1 -1
- package/lib/dataflow/sources/install/http.js +11 -10
- package/lib/dataflow/tracker.js +1 -5
- package/lib/{dataflow/event-factory.js → event-factory.js} +57 -1
- package/lib/index.js +3 -1
- package/lib/response-scanning/install/http.js +3 -2
- package/lib/session-configuration/common.js +19 -0
- package/lib/session-configuration/handlers.js +86 -0
- package/lib/session-configuration/index.js +5 -8
- package/lib/session-configuration/install/express-session.js +131 -0
- package/package.json +11 -10
- package/lib/session-configuration/install/http.js +0 -79
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
'use strict';
|
|
17
|
+
|
|
18
|
+
const {
|
|
19
|
+
isNonEmptyObject, isString, inspect, traverseValues, join
|
|
20
|
+
} = require('@contrast/common');
|
|
21
|
+
const { createMergedTags } = require('../../../tag-utils');
|
|
22
|
+
const { patchType } = require('../../common');
|
|
23
|
+
|
|
24
|
+
module.exports = function(core) {
|
|
25
|
+
const {
|
|
26
|
+
depHooks,
|
|
27
|
+
scopes: { sources, instrumentation },
|
|
28
|
+
patcher,
|
|
29
|
+
assess: {
|
|
30
|
+
eventFactory: { createPropagationEvent },
|
|
31
|
+
dataflow: { tracker },
|
|
32
|
+
},
|
|
33
|
+
} = core;
|
|
34
|
+
|
|
35
|
+
function instrumentJoiValues(values) {
|
|
36
|
+
patcher.patch(values.prototype, 'get', {
|
|
37
|
+
name: 'joi.values',
|
|
38
|
+
patchType,
|
|
39
|
+
post(data) {
|
|
40
|
+
const {
|
|
41
|
+
args: [value, state, prefs],
|
|
42
|
+
result,
|
|
43
|
+
} = data;
|
|
44
|
+
|
|
45
|
+
if (
|
|
46
|
+
!value ||
|
|
47
|
+
!result ||
|
|
48
|
+
!sources.getStore()?.assess ||
|
|
49
|
+
instrumentation.isLocked()
|
|
50
|
+
) return;
|
|
51
|
+
|
|
52
|
+
const metadata = {
|
|
53
|
+
state: inspect(state),
|
|
54
|
+
prefs: inspect(prefs),
|
|
55
|
+
orig: data.orig
|
|
56
|
+
};
|
|
57
|
+
const targetAbsolutePath = join(result.ref.absolute(state), '.');
|
|
58
|
+
|
|
59
|
+
if (isString(value)) {
|
|
60
|
+
validateStringValue(value, result.value, result.ref, targetAbsolutePath, metadata);
|
|
61
|
+
} else if (isNonEmptyObject(value)) {
|
|
62
|
+
traverseValues(value, (path, _type, v) => {
|
|
63
|
+
validateStringValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
|
|
64
|
+
});
|
|
65
|
+
}
|
|
66
|
+
},
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
function validateStringValue(value, resValue, ref, targetAbsolutePath, metadata, path = []) {
|
|
71
|
+
const strInfo = ref && tracker.getData(value);
|
|
72
|
+
const resStringValue = path.reduce((acc, val) => acc[val] || acc, resValue);
|
|
73
|
+
|
|
74
|
+
if (strInfo) {
|
|
75
|
+
const validations = strInfo.eventualValidations?.[targetAbsolutePath];
|
|
76
|
+
const mappedValueInfo = ref.map && tracker.getData(resStringValue);
|
|
77
|
+
const adjustedValueInfo = ref.adjust && tracker.getData(resStringValue);
|
|
78
|
+
|
|
79
|
+
if (validations?.length && !ref.map && !ref.adjust) {
|
|
80
|
+
validations.forEach(validation => validation(strInfo));
|
|
81
|
+
|
|
82
|
+
delete strInfo.eventualValidations[targetAbsolutePath];
|
|
83
|
+
!Object.keys(strInfo.eventualValidations).length && delete strInfo.eventualValidations;
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
if (mappedValueInfo || adjustedValueInfo) {
|
|
87
|
+
const resultInfo = mappedValueInfo || adjustedValueInfo;
|
|
88
|
+
const mergedTags = createMergedTags(strInfo.tags, resultInfo.tags);
|
|
89
|
+
const addedTags = [
|
|
90
|
+
Object.keys(resultInfo.tags).filter((tag) => !(Object.keys(strInfo.tags).find(t => t === tag))),
|
|
91
|
+
Object.keys(strInfo.tags).filter((tag) => !(Object.keys(resultInfo.tags).find(t => t === tag)))
|
|
92
|
+
];
|
|
93
|
+
|
|
94
|
+
[strInfo, resultInfo].forEach((info, idx) => {
|
|
95
|
+
const event = createPropagationEvent({
|
|
96
|
+
addedTags: [addedTags[idx]],
|
|
97
|
+
name: 'Joi.values.get',
|
|
98
|
+
moduleName: 'joi',
|
|
99
|
+
methodName: 'values.get',
|
|
100
|
+
history: [{ ...info }],
|
|
101
|
+
object: {
|
|
102
|
+
tracked: false,
|
|
103
|
+
value: 'Joi.string',
|
|
104
|
+
},
|
|
105
|
+
args: [
|
|
106
|
+
{ tracked: true, value: info.value },
|
|
107
|
+
{ tracked: false, value: metadata.state },
|
|
108
|
+
{ tracked: false, value: metadata.prefs },
|
|
109
|
+
],
|
|
110
|
+
result: {
|
|
111
|
+
tracked: false,
|
|
112
|
+
value: inspect({ value: resultInfo.value, ref }),
|
|
113
|
+
},
|
|
114
|
+
source: 'P0',
|
|
115
|
+
tags: mergedTags,
|
|
116
|
+
target: 'A',
|
|
117
|
+
stacktraceOpts: {
|
|
118
|
+
prependFrames: [metadata.orig],
|
|
119
|
+
},
|
|
120
|
+
});
|
|
121
|
+
|
|
122
|
+
if (event) {
|
|
123
|
+
Object.assign(info, event);
|
|
124
|
+
}
|
|
125
|
+
});
|
|
126
|
+
} else {
|
|
127
|
+
(ref.map || ref.adjust) && tracker.untrack(value);
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
|
|
132
|
+
return (core.assess.dataflow.propagation.joiInstrumentation.values = {
|
|
133
|
+
install() {
|
|
134
|
+
depHooks.resolve(
|
|
135
|
+
{ name: 'joi', file: 'lib/values.js', version: '>=17.0.0' },
|
|
136
|
+
instrumentJoiValues
|
|
137
|
+
);
|
|
138
|
+
},
|
|
139
|
+
});
|
|
140
|
+
};
|
|
141
|
+
|
|
@@ -27,10 +27,8 @@ module.exports = function(core) {
|
|
|
27
27
|
patcher,
|
|
28
28
|
scopes: { sources, instrumentation },
|
|
29
29
|
assess: {
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
eventFactory: { createPropagationEvent },
|
|
33
|
-
},
|
|
30
|
+
eventFactory: { createPropagationEvent },
|
|
31
|
+
dataflow: { tracker },
|
|
34
32
|
},
|
|
35
33
|
} = core;
|
|
36
34
|
|
|
@@ -28,10 +28,8 @@ module.exports = function(core) {
|
|
|
28
28
|
patcher,
|
|
29
29
|
scopes: { sources, instrumentation },
|
|
30
30
|
assess: {
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
eventFactory: { createPropagationEvent },
|
|
34
|
-
},
|
|
31
|
+
eventFactory: { createPropagationEvent },
|
|
32
|
+
dataflow: { tracker },
|
|
35
33
|
},
|
|
36
34
|
} = core;
|
|
37
35
|
|
|
@@ -27,10 +27,8 @@ module.exports = function(core) {
|
|
|
27
27
|
patcher,
|
|
28
28
|
scopes: { sources, instrumentation },
|
|
29
29
|
assess: {
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
eventFactory: { createPropagationEvent },
|
|
33
|
-
},
|
|
30
|
+
eventFactory: { createPropagationEvent },
|
|
31
|
+
dataflow: { tracker },
|
|
34
32
|
},
|
|
35
33
|
} = core;
|
|
36
34
|
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
|
|
17
17
|
const { patchType } = require('../../common');
|
|
18
18
|
|
|
19
|
-
module.exports = function(core) {
|
|
19
|
+
module.exports = function (core) {
|
|
20
20
|
const store = { lock: true, name: 'assess:propagators:pug-compile' };
|
|
21
21
|
const {
|
|
22
22
|
scopes: { sources, instrumentation },
|
|
@@ -28,7 +28,7 @@ module.exports = function(core) {
|
|
|
28
28
|
const pugInstrumentation = {
|
|
29
29
|
install() {
|
|
30
30
|
depHooks.resolve(
|
|
31
|
-
{ name: 'pug'
|
|
31
|
+
{ name: 'pug' },
|
|
32
32
|
(pug) => patcher.patch(pug, 'compile', {
|
|
33
33
|
name: 'pug.compile',
|
|
34
34
|
patchType,
|
|
@@ -23,10 +23,8 @@ module.exports = function(core) {
|
|
|
23
23
|
scopes: { sources, instrumentation },
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
eventFactory: { createPropagationEvent },
|
|
29
|
-
},
|
|
26
|
+
eventFactory: { createPropagationEvent },
|
|
27
|
+
dataflow: { tracker },
|
|
30
28
|
},
|
|
31
29
|
} = core;
|
|
32
30
|
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const { patchType } = require('../common');
|
|
18
|
+
const { slice } = require('@contrast/common');
|
|
19
|
+
|
|
20
|
+
module.exports = function (core) {
|
|
21
|
+
const {
|
|
22
|
+
scopes: { sources, instrumentation },
|
|
23
|
+
depHooks,
|
|
24
|
+
patcher
|
|
25
|
+
} = core;
|
|
26
|
+
|
|
27
|
+
const send = {};
|
|
28
|
+
core.assess.dataflow.propagation.send = send;
|
|
29
|
+
|
|
30
|
+
function patchSendModule(sendModuleExport) {
|
|
31
|
+
return patcher.patch(sendModuleExport, {
|
|
32
|
+
name: 'send',
|
|
33
|
+
patchType,
|
|
34
|
+
post(data) {
|
|
35
|
+
patcher.patch(data.result, 'sendFile', {
|
|
36
|
+
name: 'send.sendFile',
|
|
37
|
+
patchType,
|
|
38
|
+
pre(data) {
|
|
39
|
+
const { args } = data;
|
|
40
|
+
|
|
41
|
+
if (!sources.getStore()?.assess || instrumentation.isLocked()) {
|
|
42
|
+
return;
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
const untrackedPath = slice(` ${args[0]}`, 1);
|
|
46
|
+
args[0] = untrackedPath;
|
|
47
|
+
},
|
|
48
|
+
});
|
|
49
|
+
},
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
send.install = function () {
|
|
54
|
+
depHooks.resolve({ name: 'send' }, (sendModule) =>
|
|
55
|
+
patchSendModule(sendModule)
|
|
56
|
+
);
|
|
57
|
+
};
|
|
58
|
+
|
|
59
|
+
return send;
|
|
60
|
+
};
|
|
@@ -27,14 +27,12 @@ module.exports = function(core) {
|
|
|
27
27
|
patcher,
|
|
28
28
|
depHooks,
|
|
29
29
|
assess: {
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
eventFactory: { createPropagationEvent },
|
|
33
|
-
},
|
|
30
|
+
eventFactory: { createPropagationEvent },
|
|
31
|
+
dataflow: { tracker },
|
|
34
32
|
},
|
|
35
33
|
} = core;
|
|
36
34
|
|
|
37
|
-
function
|
|
35
|
+
function getFormatPositions(str) {
|
|
38
36
|
const positions = [];
|
|
39
37
|
let index = -1;
|
|
40
38
|
|
|
@@ -52,7 +50,7 @@ module.exports = function(core) {
|
|
|
52
50
|
return Array.from(matches, (match) => ({ [match[1]]: match.index }));
|
|
53
51
|
}
|
|
54
52
|
|
|
55
|
-
return
|
|
53
|
+
return core.assess.dataflow.propagation.sequelizeInstrumentation = {
|
|
56
54
|
install() {
|
|
57
55
|
depHooks.resolve(
|
|
58
56
|
{ name: 'sequelize', file: 'lib/sql-string.js' },
|
|
@@ -135,7 +133,7 @@ module.exports = function(core) {
|
|
|
135
133
|
return;
|
|
136
134
|
}
|
|
137
135
|
|
|
138
|
-
const positions =
|
|
136
|
+
const positions = getFormatPositions(data.args[0]);
|
|
139
137
|
const firstArgInfo = tracker.getData(data.args[0]);
|
|
140
138
|
|
|
141
139
|
if (!positions.length) {
|
|
@@ -309,5 +307,5 @@ module.exports = function(core) {
|
|
|
309
307
|
}
|
|
310
308
|
);
|
|
311
309
|
},
|
|
312
|
-
}
|
|
310
|
+
};
|
|
313
311
|
};
|
|
@@ -36,7 +36,8 @@ module.exports = function(core) {
|
|
|
36
36
|
scopes: { sources, instrumentation },
|
|
37
37
|
patcher,
|
|
38
38
|
assess: {
|
|
39
|
-
|
|
39
|
+
eventFactory: { createPropagationEvent },
|
|
40
|
+
dataflow: { tracker }
|
|
40
41
|
}
|
|
41
42
|
} = core;
|
|
42
43
|
function adjustTags(method, objTags, argLength, argTags = null) {
|
|
@@ -23,7 +23,8 @@ module.exports = function(core) {
|
|
|
23
23
|
scopes: { sources, instrumentation },
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
-
|
|
26
|
+
eventFactory: { createPropagationEvent },
|
|
27
|
+
dataflow: { tracker }
|
|
27
28
|
}
|
|
28
29
|
} = core;
|
|
29
30
|
const stringInstrumentation = core.assess.dataflow.propagation.stringInstrumentation = {
|
|
@@ -23,9 +23,9 @@ module.exports = function(core) {
|
|
|
23
23
|
scopes: { sources, instrumentation },
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
+
eventFactory: { createPropagationEvent },
|
|
26
27
|
dataflow: {
|
|
27
28
|
tracker,
|
|
28
|
-
eventFactory: { createPropagationEvent },
|
|
29
29
|
propagation: { stringInstrumentation },
|
|
30
30
|
},
|
|
31
31
|
},
|
|
@@ -23,9 +23,9 @@ module.exports = function(core) {
|
|
|
23
23
|
scopes: { sources, instrumentation },
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
+
eventFactory: { createPropagationEvent },
|
|
26
27
|
dataflow: {
|
|
27
28
|
tracker,
|
|
28
|
-
eventFactory: { createPropagationEvent },
|
|
29
29
|
propagation: { stringInstrumentation },
|
|
30
30
|
},
|
|
31
31
|
},
|
|
@@ -28,7 +28,8 @@ module.exports = function(core) {
|
|
|
28
28
|
const {
|
|
29
29
|
patcher,
|
|
30
30
|
assess: {
|
|
31
|
-
|
|
31
|
+
eventFactory: { createPropagationEvent },
|
|
32
|
+
dataflow: { tracker }
|
|
32
33
|
},
|
|
33
34
|
scopes: { sources, instrumentation }
|
|
34
35
|
} = core;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -24,7 +24,8 @@ module.exports = function(core) {
|
|
|
24
24
|
patcher,
|
|
25
25
|
depHooks,
|
|
26
26
|
assess: {
|
|
27
|
-
|
|
27
|
+
eventFactory: { createPropagationEvent },
|
|
28
|
+
dataflow: { tracker }
|
|
28
29
|
}
|
|
29
30
|
} = core;
|
|
30
31
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2023 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -24,7 +24,8 @@ module.exports = function(core) {
|
|
|
24
24
|
patcher,
|
|
25
25
|
depHooks,
|
|
26
26
|
assess: {
|
|
27
|
-
|
|
27
|
+
eventFactory: { createPropagationEvent },
|
|
28
|
+
dataflow: { tracker }
|
|
28
29
|
}
|
|
29
30
|
} = core;
|
|
30
31
|
|
|
@@ -75,18 +76,24 @@ module.exports = function(core) {
|
|
|
75
76
|
const endIdx = query.indexOf('=');
|
|
76
77
|
const key = query.substring(startIdx, endIdx);
|
|
77
78
|
const param = query.substring(endIdx + 1, query.length);
|
|
78
|
-
const paramInfo = tracker.getData(param);
|
|
79
|
-
if (!paramInfo) return;
|
|
80
79
|
|
|
81
|
-
const
|
|
82
|
-
|
|
80
|
+
const keyInfo = tracker.getData(key);
|
|
81
|
+
const paramInfo = tracker.getData(param);
|
|
83
82
|
|
|
84
|
-
|
|
85
|
-
|
|
83
|
+
if (keyInfo) {
|
|
84
|
+
const event = getPropagationEvent(params, keyInfo, data);
|
|
85
|
+
if (event) Object.assign(keyInfo, event);
|
|
86
|
+
}
|
|
86
87
|
|
|
87
|
-
if (
|
|
88
|
-
|
|
88
|
+
if (paramInfo) {
|
|
89
|
+
const event = getPropagationEvent(params, paramInfo, data);
|
|
90
|
+
if (event) Object.assign(paramInfo, event);
|
|
89
91
|
}
|
|
92
|
+
|
|
93
|
+
const trackedKey = keyInfo?.extern;
|
|
94
|
+
const trackedParam = paramInfo?.extern;
|
|
95
|
+
if (trackedKey) result.delete(key);
|
|
96
|
+
result.set(trackedKey || key, trackedParam || param);
|
|
90
97
|
});
|
|
91
98
|
}
|
|
92
99
|
|
|
@@ -30,10 +30,10 @@ module.exports = function(core) {
|
|
|
30
30
|
patcher,
|
|
31
31
|
scopes: { sources },
|
|
32
32
|
assess: {
|
|
33
|
+
eventFactory: { createSinkEvent },
|
|
33
34
|
dataflow: {
|
|
34
35
|
tracker,
|
|
35
36
|
sinks: { isVulnerable, reportFindings },
|
|
36
|
-
eventFactory: { createSinkEvent },
|
|
37
37
|
},
|
|
38
38
|
},
|
|
39
39
|
} = core;
|
|
@@ -44,10 +44,10 @@ module.exports = function(core) {
|
|
|
44
44
|
patcher,
|
|
45
45
|
scopes: { sources, instrumentation },
|
|
46
46
|
assess: {
|
|
47
|
+
eventFactory: { createSinkEvent },
|
|
47
48
|
dataflow: {
|
|
48
49
|
tracker,
|
|
49
50
|
sinks: { isVulnerable, reportFindings, reportSafePositive },
|
|
50
|
-
eventFactory: { createSinkEvent },
|
|
51
51
|
},
|
|
52
52
|
},
|
|
53
53
|
} = core;
|