@contrast/assess 1.19.0 → 1.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/lib/constants.js +1 -1
- package/lib/crypto-analysis/common.js +1 -1
- package/lib/crypto-analysis/index.js +1 -1
- package/lib/crypto-analysis/install/crypto.js +8 -3
- package/lib/crypto-analysis/install/math.js +8 -3
- package/lib/dataflow/index.js +1 -1
- package/lib/dataflow/propagation/common.js +1 -1
- package/lib/dataflow/propagation/index.js +1 -1
- package/lib/dataflow/propagation/install/JSON/index.js +1 -1
- package/lib/dataflow/propagation/install/JSON/parse-fn.js +1 -1
- package/lib/dataflow/propagation/install/JSON/parse.js +3 -3
- package/lib/dataflow/propagation/install/JSON/stringify.js +1 -1
- package/lib/dataflow/propagation/install/array-prototype-join.js +1 -1
- package/lib/dataflow/propagation/install/buffer.js +1 -1
- package/lib/dataflow/propagation/install/contrast-methods/add.js +1 -1
- package/lib/dataflow/propagation/install/contrast-methods/index.js +1 -1
- package/lib/dataflow/propagation/install/contrast-methods/number.js +4 -3
- package/lib/dataflow/propagation/install/contrast-methods/string.js +1 -1
- package/lib/dataflow/propagation/install/contrast-methods/tag.js +1 -1
- package/lib/dataflow/propagation/install/decode-uri-component.js +1 -1
- package/lib/dataflow/propagation/install/ejs/escape-xml.js +1 -1
- package/lib/dataflow/propagation/install/ejs/index.js +1 -1
- package/lib/dataflow/propagation/install/ejs/template.js +7 -5
- package/lib/dataflow/propagation/install/encode-uri.js +1 -1
- package/lib/dataflow/propagation/install/escape-html.js +1 -1
- package/lib/dataflow/propagation/install/escape.js +1 -1
- package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +1 -1
- package/lib/dataflow/propagation/install/isnumeric-0.js +3 -3
- package/lib/dataflow/propagation/install/joi/any.js +1 -1
- package/lib/dataflow/propagation/install/joi/boolean.js +1 -1
- package/lib/dataflow/propagation/install/joi/expression.js +1 -1
- package/lib/dataflow/propagation/install/joi/index.js +1 -1
- package/lib/dataflow/propagation/install/joi/keys.js +1 -1
- package/lib/dataflow/propagation/install/joi/number.js +1 -1
- package/lib/dataflow/propagation/install/joi/object.js +1 -1
- package/lib/dataflow/propagation/install/joi/string-schema.js +1 -1
- package/lib/dataflow/propagation/install/joi/utils.js +1 -1
- package/lib/dataflow/propagation/install/joi/values.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/common.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/index.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/schema-map.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/schema-mixed.js +1 -1
- package/lib/dataflow/propagation/install/mongoose/schema-string.js +1 -1
- package/lib/dataflow/propagation/install/mustache-escape.js +1 -1
- package/lib/dataflow/propagation/install/mysql-connection-escape.js +1 -1
- package/lib/dataflow/propagation/install/parse-int.js +3 -3
- package/lib/dataflow/propagation/install/path/basename.js +1 -1
- package/lib/dataflow/propagation/install/path/common.js +1 -1
- package/lib/dataflow/propagation/install/path/dirname.js +1 -1
- package/lib/dataflow/propagation/install/path/extname.js +1 -1
- package/lib/dataflow/propagation/install/path/format.js +1 -1
- package/lib/dataflow/propagation/install/path/index.js +1 -1
- package/lib/dataflow/propagation/install/path/join-and-resolve.js +1 -1
- package/lib/dataflow/propagation/install/path/normalize.js +1 -1
- package/lib/dataflow/propagation/install/path/parse.js +1 -1
- package/lib/dataflow/propagation/install/path/relative.js +1 -1
- package/lib/dataflow/propagation/install/path/toNamespacedPath.js +1 -1
- package/lib/dataflow/propagation/install/pug/index.js +3 -3
- package/lib/dataflow/propagation/install/pug-runtime-escape.js +1 -1
- package/lib/dataflow/propagation/install/querystring/escape.js +1 -1
- package/lib/dataflow/propagation/install/querystring/index.js +1 -1
- package/lib/dataflow/propagation/install/querystring/parse.js +1 -1
- package/lib/dataflow/propagation/install/querystring/stringify.js +1 -1
- package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +1 -1
- package/lib/dataflow/propagation/install/send.js +1 -1
- package/lib/dataflow/propagation/install/sequelize/index.js +1 -1
- package/lib/dataflow/propagation/install/sequelize/query-generator.js +1 -1
- package/lib/dataflow/propagation/install/sequelize/sql-string.js +1 -1
- package/lib/dataflow/propagation/install/sql-template-strings.js +1 -1
- package/lib/dataflow/propagation/install/string/concat.js +1 -1
- package/lib/dataflow/propagation/install/string/format-methods.js +1 -1
- package/lib/dataflow/propagation/install/string/html-methods.js +1 -1
- package/lib/dataflow/propagation/install/string/index.js +1 -1
- package/lib/dataflow/propagation/install/string/match-all.js +1 -1
- package/lib/dataflow/propagation/install/string/match.js +1 -1
- package/lib/dataflow/propagation/install/string/replace.js +1 -1
- package/lib/dataflow/propagation/install/string/slice.js +1 -1
- package/lib/dataflow/propagation/install/string/split.js +1 -1
- package/lib/dataflow/propagation/install/string/substring.js +1 -1
- package/lib/dataflow/propagation/install/string/trim.js +1 -1
- package/lib/dataflow/propagation/install/unescape.js +1 -1
- package/lib/dataflow/propagation/install/url/domain-parsers.js +1 -1
- package/lib/dataflow/propagation/install/url/index.js +1 -1
- package/lib/dataflow/propagation/install/url/parse.js +1 -1
- package/lib/dataflow/propagation/install/url/searchParams.js +1 -1
- package/lib/dataflow/propagation/install/url/url.js +1 -1
- package/lib/dataflow/propagation/install/util-format.js +1 -1
- package/lib/dataflow/propagation/install/validator/hooks.js +1 -1
- package/lib/dataflow/propagation/install/validator/index.js +1 -1
- package/lib/dataflow/propagation/install/validator/methods.js +1 -1
- package/lib/dataflow/sinks/common.js +1 -1
- package/lib/dataflow/sinks/index.js +1 -1
- package/lib/dataflow/sinks/install/child-process.js +1 -1
- package/lib/dataflow/sinks/install/eval.js +1 -1
- package/lib/dataflow/sinks/install/express/index.js +1 -1
- package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +1 -1
- package/lib/dataflow/sinks/install/fastify/index.js +1 -1
- package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +1 -1
- package/lib/dataflow/sinks/install/fs.js +1 -1
- package/lib/dataflow/sinks/install/function.js +1 -1
- package/lib/dataflow/sinks/install/http/index.js +1 -1
- package/lib/dataflow/sinks/install/http/request.js +1 -1
- package/lib/dataflow/sinks/install/http/server-response.js +1 -1
- package/lib/dataflow/sinks/install/koa/index.js +1 -1
- package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +1 -1
- package/lib/dataflow/sinks/install/libxmljs.js +1 -1
- package/lib/dataflow/sinks/install/marsdb.js +4 -4
- package/lib/dataflow/sinks/install/mongodb.js +7 -7
- package/lib/dataflow/sinks/install/mssql.js +1 -1
- package/lib/dataflow/sinks/install/mysql.js +1 -1
- package/lib/dataflow/sinks/install/node-serialize.js +1 -1
- package/lib/dataflow/sinks/install/postgres.js +1 -1
- package/lib/dataflow/sinks/install/sequelize.js +7 -8
- package/lib/dataflow/sinks/install/sqlite3.js +1 -1
- package/lib/dataflow/sinks/install/vm.js +1 -1
- package/lib/dataflow/sources/common.js +1 -1
- package/lib/dataflow/sources/handler.js +11 -10
- package/lib/dataflow/sources/index.js +2 -2
- package/lib/dataflow/sources/install/body-parser1.js +11 -13
- package/lib/dataflow/sources/install/{busboy1.js → busboy.js} +15 -15
- package/lib/dataflow/sources/install/cookie-parser1.js +7 -6
- package/lib/dataflow/sources/install/express/index.js +1 -1
- package/lib/dataflow/sources/install/express/params.js +9 -10
- package/lib/dataflow/sources/install/express/parsedUrl.js +1 -1
- package/lib/dataflow/sources/install/fastify/fastify.js +6 -7
- package/lib/dataflow/sources/install/fastify/index.js +1 -1
- package/lib/dataflow/sources/install/formidable1.js +8 -6
- package/lib/dataflow/sources/install/http.js +4 -4
- package/lib/dataflow/sources/install/koa/index.js +1 -1
- package/lib/dataflow/sources/install/koa/koa-bodyparsers.js +10 -9
- package/lib/dataflow/sources/install/koa/koa-multer.js +1 -1
- package/lib/dataflow/sources/install/koa/koa-routers.js +6 -8
- package/lib/dataflow/sources/install/koa/koa2.js +42 -38
- package/lib/dataflow/sources/install/multer1.js +1 -1
- package/lib/dataflow/sources/install/qs6.js +7 -6
- package/lib/dataflow/sources/install/querystring.js +4 -4
- package/lib/dataflow/tag-utils.js +1 -1
- package/lib/dataflow/tracker.js +1 -1
- package/lib/dataflow/utils/is-safe-content-type.js +1 -1
- package/lib/dataflow/utils/is-vulnerable.js +1 -1
- package/lib/event-factory.js +30 -28
- package/lib/get-policy.js +1 -1
- package/lib/get-source-context.js +1 -1
- package/lib/index.d.ts +16 -2
- package/lib/index.js +1 -1
- package/lib/make-source-context.js +6 -2
- package/lib/response-scanning/handlers/index.js +1 -1
- package/lib/response-scanning/handlers/utils.js +1 -1
- package/lib/response-scanning/index.js +1 -1
- package/lib/response-scanning/install/http.js +1 -1
- package/lib/rule-scopes.js +1 -1
- package/lib/session-configuration/common.js +1 -1
- package/lib/session-configuration/handlers.js +67 -49
- package/lib/session-configuration/index.js +3 -1
- package/lib/session-configuration/install/express-session.js +15 -24
- package/lib/session-configuration/install/fastify-cookie.js +110 -0
- package/lib/session-configuration/install/hapi.js +8 -11
- package/lib/session-configuration/install/koa.js +101 -0
- package/package.json +1 -1
package/LICENSE
CHANGED
package/lib/constants.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -47,7 +47,7 @@ const SAFE_CIPHER_ALGORITHM_PREFIXES = ['des-ede', 'id-aes', 'aes', 'rsa'];
|
|
|
47
47
|
* assess: import('@contrast/assess').Assess,
|
|
48
48
|
* }} core
|
|
49
49
|
*/
|
|
50
|
-
module.exports = function(core) {
|
|
50
|
+
module.exports = function (core) {
|
|
51
51
|
const {
|
|
52
52
|
config,
|
|
53
53
|
depHooks,
|
|
@@ -100,7 +100,12 @@ module.exports = function(core) {
|
|
|
100
100
|
} else {
|
|
101
101
|
for (const { file } of event.stack) {
|
|
102
102
|
for (const lib of SAFE_HASH_LIBS) {
|
|
103
|
-
logger.trace(
|
|
103
|
+
logger.trace(
|
|
104
|
+
{ funcKey: data.funcKey },
|
|
105
|
+
'skipping reporting for %s - trusting %s',
|
|
106
|
+
Rule.CRYPTO_BAD_MAC,
|
|
107
|
+
lib
|
|
108
|
+
);
|
|
104
109
|
if (file.indexOf(lib) >= 0) return;
|
|
105
110
|
}
|
|
106
111
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -33,7 +33,7 @@ const SAFE_RANDOM_LIBS = [
|
|
|
33
33
|
* assess: import('@contrast/assess').Assess,
|
|
34
34
|
* }} core
|
|
35
35
|
*/
|
|
36
|
-
module.exports = function(core) {
|
|
36
|
+
module.exports = function (core) {
|
|
37
37
|
const {
|
|
38
38
|
assess: {
|
|
39
39
|
eventFactory,
|
|
@@ -79,7 +79,12 @@ module.exports = function(core) {
|
|
|
79
79
|
for (const { file } of event.stack) {
|
|
80
80
|
for (const lib of SAFE_RANDOM_LIBS) {
|
|
81
81
|
if (file.indexOf(lib) >= 0) {
|
|
82
|
-
logger.trace(
|
|
82
|
+
logger.trace(
|
|
83
|
+
{ funcKey: data.funcKey },
|
|
84
|
+
'skipping reporting for %s - trusting %s',
|
|
85
|
+
ruleId,
|
|
86
|
+
lib,
|
|
87
|
+
);
|
|
83
88
|
return;
|
|
84
89
|
}
|
|
85
90
|
}
|
package/lib/dataflow/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -142,8 +142,8 @@ module.exports = function (core) {
|
|
|
142
142
|
|
|
143
143
|
try {
|
|
144
144
|
keyValueIndexes = getKeyValueIndexes(input);
|
|
145
|
-
} catch (
|
|
146
|
-
logger.warn({
|
|
145
|
+
} catch (err) {
|
|
146
|
+
logger.warn({ err, funcKey: data.funcKey, string: input }, 'JSON.parse() propagation failed');
|
|
147
147
|
}
|
|
148
148
|
|
|
149
149
|
if (keyValueIndexes.length === 0) return;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
19
|
const { patchType } = require('../../common');
|
|
20
20
|
|
|
21
|
-
module.exports = function(core) {
|
|
21
|
+
module.exports = function (core) {
|
|
22
22
|
const {
|
|
23
23
|
logger,
|
|
24
24
|
scopes: { instrumentation, sources },
|
|
@@ -43,11 +43,12 @@ module.exports = function(core) {
|
|
|
43
43
|
!isString(value) ||
|
|
44
44
|
!sources.getStore()?.assess ||
|
|
45
45
|
instrumentation.isLocked() ||
|
|
46
|
+
// why not just do this first? won't need check for NaN, !value, !isString, etc.
|
|
46
47
|
!tracker.getData(value)
|
|
47
48
|
) return;
|
|
48
49
|
|
|
49
50
|
tracker.untrack(value);
|
|
50
|
-
logger.trace({ sanitizer: name, value }, 'untracked a string value');
|
|
51
|
+
logger.trace({ funcKey: data.funcKey, sanitizer: name, value }, 'untracked a string value');
|
|
51
52
|
}
|
|
52
53
|
});
|
|
53
54
|
},
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -28,7 +28,7 @@ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants')
|
|
|
28
28
|
* }} core
|
|
29
29
|
* @returns {import('@contrast/common').Installable}
|
|
30
30
|
*/
|
|
31
|
-
module.exports = function(core) {
|
|
31
|
+
module.exports = function (core) {
|
|
32
32
|
const {
|
|
33
33
|
assess: { getSourceContext },
|
|
34
34
|
depHooks,
|
|
@@ -56,9 +56,8 @@ module.exports = function(core) {
|
|
|
56
56
|
*/
|
|
57
57
|
install() {
|
|
58
58
|
depHooks.resolve({ name: 'ejs', version: '>=2.6.2' }, (_export, version) => {
|
|
59
|
-
const name = 'ejs.Template.prototype.generateSource';
|
|
60
59
|
patcher.patch(_export.Template.prototype, 'generateSource', {
|
|
61
|
-
name,
|
|
60
|
+
name: 'ejs.Template.prototype.generateSource',
|
|
62
61
|
patchType,
|
|
63
62
|
post(data) {
|
|
64
63
|
if (!getSourceContext(PROPAGATOR)) return;
|
|
@@ -67,7 +66,10 @@ module.exports = function(core) {
|
|
|
67
66
|
const { code } = rewriter.rewrite(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
|
|
68
67
|
data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
|
|
69
68
|
} catch (err) {
|
|
70
|
-
logger.error(
|
|
69
|
+
logger.error(
|
|
70
|
+
{ err, funcKey: data.funcKey, source: data.obj.source },
|
|
71
|
+
'error occurred while rewriting ejs source'
|
|
72
|
+
);
|
|
71
73
|
}
|
|
72
74
|
}
|
|
73
75
|
});
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
19
|
const { patchType } = require('../common');
|
|
20
20
|
|
|
21
|
-
module.exports = function(core) {
|
|
21
|
+
module.exports = function (core) {
|
|
22
22
|
const {
|
|
23
23
|
logger,
|
|
24
24
|
scopes: { sources, instrumentation },
|
|
@@ -50,7 +50,7 @@ module.exports = function(core) {
|
|
|
50
50
|
) return;
|
|
51
51
|
|
|
52
52
|
tracker.untrack(value);
|
|
53
|
-
logger.trace({ sanitizer: fullName, value }, 'untracked a string value');
|
|
53
|
+
logger.trace({ funcKey: data.funcKey, sanitizer: fullName, value }, 'untracked a string value');
|
|
54
54
|
}
|
|
55
55
|
});
|
|
56
56
|
});
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
19
|
const { patchType } = require('../common');
|
|
20
20
|
|
|
21
|
-
module.exports = function(core) {
|
|
21
|
+
module.exports = function (core) {
|
|
22
22
|
const {
|
|
23
23
|
logger,
|
|
24
24
|
scopes: { instrumentation, sources },
|
|
@@ -49,7 +49,7 @@ module.exports = function(core) {
|
|
|
49
49
|
// todo NODE-3118 to handle when value has trailing non-integer values
|
|
50
50
|
|
|
51
51
|
tracker.untrack(value);
|
|
52
|
-
logger.trace({ sanitizer: name, value }, 'untracked a string value');
|
|
52
|
+
logger.trace({ funcKey: data.funcKey, sanitizer: name, value }, 'untracked a string value');
|
|
53
53
|
}
|
|
54
54
|
});
|
|
55
55
|
},
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/*
|
|
2
|
-
* Copyright:
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
3
|
* Contact: support@contrastsecurity.com
|
|
4
4
|
* License: Commercial
|
|
5
5
|
|
|
@@ -44,8 +44,8 @@ module.exports = function (core) {
|
|
|
44
44
|
return instrumentation.run(store,
|
|
45
45
|
() => rewriter.rewrite(value, rewriterOpts).code
|
|
46
46
|
);
|
|
47
|
-
} catch (
|
|
48
|
-
logger.warn(
|
|
47
|
+
} catch (err) {
|
|
48
|
+
logger.warn({ err, funcKey: data.funcKey }, 'Failed to rewrite pug code');
|
|
49
49
|
return value;
|
|
50
50
|
}
|
|
51
51
|
}
|