@contrast/assess 1.12.0 → 1.13.0

package/LICENSE

@@ -0,0 +1,12 @@
+Copyright: 2023 Contrast Security, Inc
+Contact: support@contrastsecurity.com
+License: Commercial
+
+NOTICE: This Software and the patented inventions embodied within may only be
+used as part of Contrast Security’s commercial offerings. Even though it is
+made available through public repositories, use of this Software is subject to
+the applicable End User Licensing Agreement found at
+https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+between Contrast Security and the End User. The Software may not be reverse
+engineered, modified, repackaged, sold, redistributed or otherwise used in a
+way not consistent with the End User License Agreement.

package/lib/dataflow/propagation/index.js

@@ -45,6 +45,8 @@ module.exports = function(core) {
   require('./install/JSON')(core);
   require('./install/path')(core);
   require('./install/reg-exp-prototype-exec')(core);
+  require('./install/joi')(core);
+  require('./install/send')(core);
 
   propagation.install = function() {
     callChildComponentMethodsSync(propagation, 'install');

package/lib/dataflow/propagation/install/joi/index.js

@@ -0,0 +1,35 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const joiInstrumentation = core.assess.dataflow.propagation.joiInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(joiInstrumentation, 'install');
+    },
+    uninstall() {
+      callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
+    },
+  };
+
+  require('./keys')(core);
+  require('./string-schema')(core);
+  require('./values')(core);
+
+  return joiInstrumentation;
+};

package/lib/dataflow/propagation/install/joi/keys.js

@@ -0,0 +1,140 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isNonEmptyObject, join,
+} = require('@contrast/common');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    patcher,
+  } = core;
+
+  function addMetadata(schema, refTargetPath, refPath, isInReference) {
+    if (!schema.__CONTRAST__) {
+      Object.defineProperty(schema, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          inReferenceTargets: new Set(),
+          refTargets: {}
+        },
+        writable: true,
+      });
+    }
+
+    let path = join(refTargetPath, '.');
+
+    if (isInReference) {
+      path = join(refTargetPath.slice(0, -1), '.');
+      schema.__CONTRAST__.inReferenceTargets.add(path);
+      refPath = refPath.slice(0, -1);
+    }
+
+    const refs = schema.__CONTRAST__.refTargets[path] || [];
+    refs.push(join(refPath, '.'));
+    schema.__CONTRAST__.refTargets[path] = refs;
+  }
+
+  function traverseChildSchemas(schema, refTargetPath, currentPath, refOpts) {
+    const traversable = schema.type === 'object' ? schema._ids._byKey.entries() : Object.entries(schema.$_terms.items);
+
+    for (const [childKey, item] of traversable) {
+      const value = schema.type === 'object' ? item.schema : item;
+      const newRefTargetPath = [...refTargetPath, childKey];
+      const newCurrentPath = [...currentPath, childKey];
+
+      if (value.type === 'string') {
+        addMetadata(value, newRefTargetPath, newCurrentPath, refOpts.in);
+      } else if (value.type === 'object') {
+        traverseChildSchemas(value, newRefTargetPath, newCurrentPath, refOpts);
+      }
+    }
+  }
+
+  function traverseSchemas(
+    joi,
+    currentSchema,
+    obj,
+    ancestorRef = [],
+    currentPath = [],
+  ) {
+    ancestorRef.unshift(obj);
+    if (joi.isSchema(currentSchema) || joi.isExpression(currentSchema)) return;
+    if (currentSchema && joi.isRef(currentSchema) && !currentSchema.__CONTRAST__?.isVisited) {
+      const targetSchemaRef = currentSchema.path.reduce((acc, value) => {
+        let ret = acc?.[value] || acc;
+
+        if (joi.isSchema(acc)) {
+          ret = acc?.$_terms?.keys.find(i => i.key === value);
+        }
+
+        return ret;
+      }, ancestorRef[currentSchema.ancestor - 1]);
+
+      const refTargetPath = currentSchema.absolute({ path: currentPath });
+      const targetSchemaInstace =
+        typeof targetSchemaRef?.schema === 'object'
+          ? targetSchemaRef.schema
+          : targetSchemaRef;
+
+      if (!targetSchemaInstace) return;
+
+      if (['object', 'array'].includes(targetSchemaInstace.type)) {
+        traverseChildSchemas(targetSchemaInstace, refTargetPath, currentPath, currentSchema);
+      } else {
+        addMetadata(targetSchemaInstace, refTargetPath, currentPath);
+      }
+      Object.defineProperty(currentSchema, '__CONTRAST__', {
+        enumerable: false,
+        configurable: true,
+        value: {
+          isVisited: true,
+        },
+        writable: true
+      });
+    } else {
+      if (isNonEmptyObject(currentSchema)) {
+        for (const [objKey, objValue] of Object.entries(currentSchema)) {
+          traverseSchemas(joi, objValue, currentSchema, ancestorRef, [...currentPath, objKey]);
+        }
+      }
+    }
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.keys = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' },
+        (joi) => {
+          patcher.patch(Object.getPrototypeOf(joi), 'keys', {
+            name: 'joi.keys',
+            patchType,
+            pre(data) {
+              const [value] = data.args;
+              const joi = data.obj.$_root;
+
+              traverseSchemas(joi, value, value);
+            },
+          });
+        }
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/string-schema.js

@@ -0,0 +1,269 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
+  inspect,
+  join,
+  split,
+} = require('@contrast/common');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+const VALIDATORS = {
+  base64: ALPHANUM_SPACE_HYPHEN,
+  guid: ALPHANUM_SPACE_HYPHEN,
+  alphanum: ALPHANUM_SPACE_HYPHEN,
+  hex: ALPHANUM_SPACE_HYPHEN,
+  isoDate: ALPHANUM_SPACE_HYPHEN,
+  isoDuration: ALPHANUM_SPACE_HYPHEN,
+  token: ALPHANUM_SPACE_HYPHEN,
+  creditCard: LIMITED_CHARS,
+  ip: LIMITED_CHARS,
+  hostname: ALPHANUM_SPACE_HYPHEN,
+  domain: ALPHANUM_SPACE_HYPHEN,
+};
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  function definePropagation(methodName, tagName, inspectedSchema, origFn) {
+    function propagationFn(strInfo) {
+      const event = createPropagationEvent({
+        addedTags: [tagName],
+        name: `Joi.string.${methodName}`,
+        moduleName: 'joi',
+        methodName: `string.${methodName}`,
+        history: [{ ...strInfo }],
+        object: {
+          tracked: false,
+          value: 'Joi.string',
+        },
+        args: [
+          { tracked: true, value: strInfo.value },
+          { tracked: false, value: inspectedSchema },
+        ],
+        result: {
+          tracked: false,
+          value: undefined,
+        },
+        source: 'P0',
+        tags: {
+          ...strInfo.tags,
+          [tagName]: [0, strInfo.value.length - 1],
+        },
+        target: 'P0',
+        stacktraceOpts: {
+          prependFrames: [origFn],
+        },
+      });
+
+      if (event) {
+        Object.assign(strInfo, event);
+      }
+    }
+
+    Object.defineProperty(propagationFn, 'name', {
+      value: tagName,
+      writable: false,
+    });
+
+    return propagationFn;
+  }
+
+  function getRefInstancesTrackingData(obj, refInstancesPaths) {
+    return refInstancesPaths
+      .map((referenceInstance) => {
+        const value = split(referenceInstance, '.').reduce(
+          (acc, v) => acc[v] || acc,
+          obj
+        );
+        return tracker.getData(value);
+      })
+      .filter(Boolean);
+  }
+
+  function patchValidator(
+    validatorObj,
+    patchName,
+    validatorName,
+    tagName,
+  ) {
+    patcher.patch(validatorObj, 'validate', {
+      name: patchName,
+      patchType,
+      post(data) {
+        const [input, schema] = data.args;
+
+        if (
+          !input ||
+          (validatorName !== 'validate' && typeof data.result !== 'string') ||
+          (validatorName === 'validate' && data.result) ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+
+        const contrastData = schema?.schema?.__CONTRAST__;
+        let refTargetPath = join(schema.state.path, '.');
+        const inReferenceTargetPath = join(schema.state.path.slice(0, -1), '.');
+        if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
+          refTargetPath = join(
+            schema.state.path.slice(0, -1),
+            '.'
+          );
+        }
+        const references = contrastData?.refTargets[refTargetPath];
+
+        const strInfo = tracker.getData(input);
+
+        const inspectedSchema = inspect(schema);
+        const validation = definePropagation(
+          validatorName,
+          tagName,
+          inspectedSchema,
+          data.orig
+        );
+        if (references?.length) {
+          getRefInstancesTrackingData(
+            schema.state.ancestors[schema.state.ancestors.length - 1],
+            references
+          ).forEach((refMetadata) => {
+            let { eventualValidations } = refMetadata;
+            if (!eventualValidations) {
+              eventualValidations = { [refTargetPath]: [validation] };
+            } else if (!eventualValidations[refTargetPath]) {
+              eventualValidations[refTargetPath] = [validation];
+            } else if (
+              !eventualValidations[refTargetPath].find(
+                (v) => v.name === tagName
+              )
+            ) {
+              eventualValidations[refTargetPath].push(validation);
+            }
+
+            refMetadata.eventualValidations = eventualValidations;
+          });
+        }
+
+        if (strInfo) {
+          validation(strInfo);
+        }
+      },
+    });
+  }
+
+  function reTrackCoercedValue(coerce) {
+    patcher.patch(coerce, 'method', {
+      name: 'joi.string._definition.coerce',
+      patchType,
+      post(data) {
+        const { args, result } = data;
+
+        if (
+          !args[0] ||
+          // currently, we are losing track of coerced isoDate only
+          !args[1].schema.$_getRule('isoDate') ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        )
+          return;
+
+        const argInfo = tracker.getData(args[0]);
+
+        if (!argInfo) {
+          return;
+        }
+
+        const event = createPropagationEvent({
+          name: 'Joi.string.isoDate.coerce',
+          moduleName: 'joi',
+          methodName: 'string.isDate.coerce',
+          history: [argInfo],
+          object: {
+            tracked: false,
+            value: 'Joi.string',
+          },
+          args: [
+            { tracked: true, value: argInfo.value },
+            { tracked: false, value: inspect(args[1]) },
+          ],
+          result: {
+            tracked: false,
+            value: result,
+          },
+          source: 'P0',
+          tags: createFullLengthCopyTags(argInfo.tags, result.value.length),
+          target: 'R',
+          stacktraceOpts: {
+            prependFrames: [data.orig],
+          },
+        });
+
+        const { extern } = tracker.track(result.value, event);
+
+        if (extern) {
+          data.result.value = extern;
+        }
+      },
+    });
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.stringSchema = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
+        (stringType) => {
+          const stringTypePrototype = Object.getPrototypeOf(stringType);
+          const definition = stringTypePrototype?._definition;
+          const rules = definition?.rules || {};
+
+          patchValidator(
+            definition,
+            'joi.string.validate',
+            'validate',
+            STRING_TYPE_CHECKED
+          );
+
+          for (const rule in VALIDATORS) {
+            if (rules[rule]) {
+              patchValidator(
+                rules[rule],
+                'joi.string._definition.rules',
+                rule,
+                VALIDATORS[rule],
+              );
+            }
+          }
+
+          const coerce = definition?.coerce;
+
+          if (coerce && rules['isoDate']) {
+            reTrackCoercedValue(coerce);
+          }
+        }
+      );
+    },
+  });
+};

package/lib/dataflow/propagation/install/joi/values.js

@@ -0,0 +1,141 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const {
+  isNonEmptyObject, isString, inspect, traverseValues, join
+} = require('@contrast/common');
+const { createMergedTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
+
+module.exports = function(core) {
+  const {
+    depHooks,
+    scopes: { sources, instrumentation },
+    patcher,
+    assess: {
+      eventFactory: { createPropagationEvent },
+      dataflow: { tracker },
+    },
+  } = core;
+
+  function instrumentJoiValues(values) {
+    patcher.patch(values.prototype, 'get', {
+      name: 'joi.values',
+      patchType,
+      post(data) {
+        const {
+          args: [value, state, prefs],
+          result,
+        } = data;
+
+        if (
+          !value ||
+          !result ||
+          !sources.getStore()?.assess ||
+          instrumentation.isLocked()
+        ) return;
+
+        const metadata = {
+          state: inspect(state),
+          prefs: inspect(prefs),
+          orig: data.orig
+        };
+        const targetAbsolutePath = join(result.ref.absolute(state), '.');
+
+        if (isString(value)) {
+          validateStringValue(value, result.value, result.ref, targetAbsolutePath, metadata);
+        } else if (isNonEmptyObject(value)) {
+          traverseValues(value, (path, _type, v) => {
+            validateStringValue(v, result.value, result.ref, join([...targetAbsolutePath, ...path], '.'), metadata, path);
+          });
+        }
+      },
+    });
+  }
+
+  function validateStringValue(value, resValue, ref, targetAbsolutePath, metadata, path = []) {
+    const strInfo = ref && tracker.getData(value);
+    const resStringValue = path.reduce((acc, val) => acc[val] || acc, resValue);
+
+    if (strInfo) {
+      const validations = strInfo.eventualValidations?.[targetAbsolutePath];
+      const mappedValueInfo = ref.map && tracker.getData(resStringValue);
+      const adjustedValueInfo = ref.adjust && tracker.getData(resStringValue);
+
+      if (validations?.length && !ref.map && !ref.adjust) {
+        validations.forEach(validation => validation(strInfo));
+
+        delete strInfo.eventualValidations[targetAbsolutePath];
+        !Object.keys(strInfo.eventualValidations).length && delete strInfo.eventualValidations;
+      }
+
+      if (mappedValueInfo || adjustedValueInfo) {
+        const resultInfo = mappedValueInfo || adjustedValueInfo;
+        const mergedTags = createMergedTags(strInfo.tags, resultInfo.tags);
+        const addedTags = [
+          Object.keys(resultInfo.tags).filter((tag) => !(Object.keys(strInfo.tags).find(t => t === tag))),
+          Object.keys(strInfo.tags).filter((tag) => !(Object.keys(resultInfo.tags).find(t => t === tag)))
+        ];
+
+        [strInfo, resultInfo].forEach((info, idx) => {
+          const event = createPropagationEvent({
+            addedTags: [addedTags[idx]],
+            name: 'Joi.values.get',
+            moduleName: 'joi',
+            methodName: 'values.get',
+            history: [{ ...info }],
+            object: {
+              tracked: false,
+              value: 'Joi.string',
+            },
+            args: [
+              { tracked: true, value: info.value },
+              { tracked: false, value: metadata.state },
+              { tracked: false, value: metadata.prefs },
+            ],
+            result: {
+              tracked: false,
+              value: inspect({ value: resultInfo.value, ref }),
+            },
+            source: 'P0',
+            tags: mergedTags,
+            target: 'A',
+            stacktraceOpts: {
+              prependFrames: [metadata.orig],
+            },
+          });
+
+          if (event) {
+            Object.assign(info, event);
+          }
+        });
+      } else {
+        (ref.map || ref.adjust) && tracker.untrack(value);
+      }
+    }
+  }
+
+  return (core.assess.dataflow.propagation.joiInstrumentation.values = {
+    install() {
+      depHooks.resolve(
+        { name: 'joi', file: 'lib/values.js', version: '>=17.0.0' },
+        instrumentJoiValues
+      );
+    },
+  });
+};
+

package/lib/dataflow/propagation/install/pug/index.js

@@ -16,7 +16,7 @@
 
 const { patchType } = require('../../common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };
   const {
     scopes: { sources, instrumentation },
@@ -28,7 +28,7 @@ module.exports = function(core) {
   const pugInstrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'pug', file: 'lib/index.js' },
+        { name: 'pug' },
         (pug) => patcher.patch(pug, 'compile', {
           name: 'pug.compile',
           patchType,

package/lib/dataflow/propagation/install/send.js

@@ -0,0 +1,60 @@
+/*
+ * Copyright: 2023 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { patchType } = require('../common');
+const { slice } = require('@contrast/common');
+
+module.exports = function (core) {
+  const {
+    scopes: { sources, instrumentation },
+    depHooks,
+    patcher
+  } = core;
+
+  const send = {};
+  core.assess.dataflow.propagation.send = send;
+
+  function patchSendModule(sendModuleExport) {
+    return patcher.patch(sendModuleExport, {
+      name: 'send',
+      patchType,
+      post(data) {
+        patcher.patch(data.result, 'sendFile', {
+          name: 'send.sendFile',
+          patchType,
+          pre(data) {
+            const { args } = data;
+
+            if (!sources.getStore()?.assess || instrumentation.isLocked()) {
+              return;
+            }
+
+            const untrackedPath = slice(` ${args[0]}`, 1);
+            args[0] = untrackedPath;
+          },
+        });
+      },
+    });
+  }
+
+  send.install = function () {
+    depHooks.resolve({ name: 'send' }, (sendModule) =>
+      patchSendModule(sendModule)
+    );
+  };
+
+  return send;
+};

package/lib/dataflow/propagation/install/sequelize.js

@@ -32,7 +32,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  function getFormatPostions(str) {
+  function getFormatPositions(str) {
     const positions = [];
     let index = -1;
 
@@ -50,7 +50,7 @@ module.exports = function(core) {
     return Array.from(matches, (match) => ({ [match[1]]: match.index }));
   }
 
-  return (core.assess.dataflow.propagation.sequelizeInstrumentation = {
+  return core.assess.dataflow.propagation.sequelizeInstrumentation = {
     install() {
       depHooks.resolve(
         { name: 'sequelize', file: 'lib/sql-string.js' },
@@ -133,7 +133,7 @@ module.exports = function(core) {
                 return;
               }
 
-              const positions = getFormatPostions(data.args[0]);
+              const positions = getFormatPositions(data.args[0]);
               const firstArgInfo = tracker.getData(data.args[0]);
 
               if (!positions.length) {
@@ -307,5 +307,5 @@ module.exports = function(core) {
         }
       );
     },
-  });
+  };
 };

package/lib/dataflow/sinks/install/fs.js

@@ -34,7 +34,7 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources },
+    scopes: { instrumentation, sources },
     assess: {
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -62,7 +62,7 @@ module.exports = function(core) {
   const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
     const { name: methodName, indices } = method;
     const store = sources.getStore()?.assess;
-    if (!store) return;
+    if (!store || instrumentation.isLocked()) return;
 
     const values = getValues(indices, data.args);
     if (!values.length) return;

package/lib/dataflow/sources/install/body-parser1.js

@@ -31,7 +31,7 @@ module.exports = function init(core) {
 
   const createPreHook = (name) => (data) => {
     const [req, , next] = data.args;
-    data.args[2] = function contrastNext(...args) {
+    data.args[2] = scopes.wrap(function contrastNext(...args) {
       const sourceContext = scopes.sources.getStore()?.assess;
 
       if (!sourceContext) {
@@ -86,7 +86,7 @@ module.exports = function init(core) {
       }
 
       return next(...args);
-    };
+    });
   };
 
   assess.dataflow.sources.bodyParser1Instrumentation = {

package/lib/dataflow/sources/install/fastify/fastify.js

@@ -18,7 +18,7 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../../common');
 
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     logger,
     depHooks,

package/lib/dataflow/sources/install/http.js

@@ -73,17 +73,18 @@ module.exports = function(core) {
         }
       });
 
-      patcher.patch(res, 'setHeader', {
-        alwaysRun: true,
-        name: 'set-header',
-        patchType,
-        pre(data) {
-          const [name = '', value] = data.args;
-          if (toLowerCase(name) === 'content-type' && value) {
-            store.assess.responseData.contentType = value;
+      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+        patcher.patch(res, 'setHeader', {
+          name: 'set-header',
+          patchType,
+          pre(data) {
+            const [name = '', value] = data.args;
+            if (toLowerCase(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
+              store.assess.responseData.contentType = value;
+            }
           }
-        }
-      });
+        });
+      }
 
       let uriPath, queries;
       const ix = req.url.indexOf('?');

package/lib/response-scanning/install/http.js

@@ -38,8 +38,9 @@ module.exports = function(core) {
   } = core;
   const http = core.assess.responseScanning.httpInstrumentation = {};
 
-  function parseHeaders(rawHeaders = '') {
-    const headersArray = split(rawHeaders, '\r\n').filter(Boolean);
+  function parseHeaders(rawHeaders) {
+    const headersToParse = rawHeaders || '';
+    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');
 

package/package.json

@@ -1,13 +1,14 @@
 {
   "name": "@contrast/assess",
-  "version": "1.12.0",
-  "description": "",
+  "version": "1.13.0",
+  "description": "Contrast service providing framework-agnostic Assess support",
+  "license": "SEE LICENSE IN LICENSE",
+  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
+  "files": [
+    "lib/"
+  ],
   "main": "lib/index.js",
-  "scripts": {
-    "test": "../scripts/test.sh"
-  },
-  "author": "",
-  "license": "ISC",
+  "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
     "node": ">= 14.15.0"
@@ -15,7 +16,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.4.0",
     "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.14.0",
+    "@contrast/common": "1.15.0",
     "parseurl": "^1.3.3"
   }
-}
+}