npm - @contrast/assess - Versions diffs - 1.19.0 → 1.20.1 - Mend

@contrast/assess 1.19.0 → 1.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/lib/dataflow/sources/install/koa/koa2.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,8 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../../common');
+const inputType = InputType.QUERYSTRING;
 /**
  * Function that exports an install method to patch Koa framework with our instrumentation
  * @param {Object} core - the core Contrast object in v5
@@ -36,58 +38,60 @@ module.exports = (core) => {
    */
   function install() {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
-      function contrastStartMiddleware(ctx, next) {
-        const name = 'Koa.Application';
-        const sourceContext = core.scopes.sources.getStore()?.assess;
-        const inputType = InputType.QUERYSTRING;
+      const createMiddleware = ({ name, funcKey }) => {
+        const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
-        if (!sourceContext) {
-          logger.error({ name, inputType }, 'unable to handle Koa source. Missing `sourceContext`');
-          return next();
-        }
-        // We check the contents mainly to trigger the getter for `ctx.query`
-        // that is eventually set up by `koa-qs`
-        if (ctx.query) {
-          if (sourceContext.parsedQuery) {
-            logger.trace({ name, inputType }, 'values already tracked');
+          if (!sourceContext) {
+            logger.error({ inputType, funcKey }, 'unable to handle Koa source. Missing `sourceContext`');
             return next();
           }
-          try {
-            sources.handle({
-              context: 'ctx.query',
-              data: ctx.query,
-              inputType,
-              name,
-              stacktraceOpts: {
-                constructorOpt: contrastStartMiddleware,
-              },
-              sourceContext
-            });
-            sourceContext.parsedQuery = true;
-          } catch (err) {
-            logger.error({ err, inputType, name }, 'unable to handle Koa source');
+          // We check the contents mainly to trigger the getter for `ctx.query`
+          // that is eventually set up by `koa-qs`
+          if (ctx.query) {
+            if (sourceContext.parsedQuery) {
+              logger.trace({ inputType, funcKey }, 'values already tracked');
+              return next();
+            }
+            try {
+              sources.handle({
+                context: 'ctx.query',
+                data: ctx.query,
+                inputType,
+                name,
+                stacktraceOpts: {
+                  constructorOpt: contrastStartMiddleware,
+                },
+                sourceContext
+              });
+              sourceContext.parsedQuery = true;
+            } catch (err) {
+              logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
+            }
           }
-        }
-        return next();
-      }
+          return next();
+        };
+        // mark these middleware as ours
+        contrastStartMiddleware._isContrastStartMiddleware = true;
-      // mark these middleware as ours
-      contrastStartMiddleware._isContrastStartMiddleware = true;
+        return contrastStartMiddleware;
+      };
       patcher.patch(Koa.prototype, 'use', {
         name: 'Koa.Application',
         patchType,
-        pre({ obj: app }) {
+        pre({ obj: app, name, funcKey }) {
           // if not already inserted, insert the initial middleware.
           if (
             app.middleware &&
-              (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
+            (!app.middleware[0] || !app.middleware[0]._isContrastStartMiddleware)
           ) {
-            app.middleware.splice(0, 0, contrastStartMiddleware);
+            app.middleware.unshift(createMiddleware({ name, funcKey }));
           }
         }
       });

package/lib/dataflow/sources/install/multer1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -18,6 +18,8 @@
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const inputType = InputType.QUERYSTRING;
 module.exports = (core) => {
   const {
     depHooks,
@@ -33,17 +35,16 @@ module.exports = (core) => {
       (qs) => patcher.patch(qs, 'parse', {
         name,
         patchType,
-        post({ args, hooked, orig, result }) {
+        post({ args, hooked, orig, result, funcKey }) {
           const sourceContext = core.scopes.sources.getStore()?.assess;
-          const inputType = InputType.QUERYSTRING;
           if (!sourceContext) {
-            logger.error({ inputType, name }, 'unable to handle source. Missing `sourceContext`');
+            logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
             return;
           }
           if (sourceContext.parsedQuery) {
-            logger.trace({ inputType, name }, 'values already tracked');
+            logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
@@ -67,7 +68,7 @@ module.exports = (core) => {
               sourceContext.parsedQuery = true;
             } catch (err) {
-              logger.error({ err, inputType, name }, 'unable to handle source');
+              logger.error({ err, inputType, funcKey }, 'unable to handle source');
             }
           }
         }

package/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -28,14 +28,14 @@ module.exports = (core) => {
         (querystring) => patcher.patch(querystring, 'parse', {
           name,
           patchType,
-          post({ args, hooked, orig, result }) {
+          post({ args, hooked, orig, result, funcKey }) {
             const sourceContext = core.scopes.sources.getStore()?.assess;
             const inputType = InputType.QUERYSTRING;
             if (!sourceContext) return;
             if (sourceContext.parsedQuery) {
-              logger.trace({ name }, 'values already tracked');
+              logger.trace({ funcKey }, 'values already tracked');
               return;
             }
@@ -58,7 +58,7 @@ module.exports = (core) => {
                 // we do not set the `parsedQuery` value here so that frameworks
                 // may handle queries in their own more specific manner.
               } catch (err) {
-                logger.error({ err, name }, 'unable to handle source');
+                logger.error({ err, funcKey }, 'unable to handle source');
               }
             }
           }

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/utils/is-safe-content-type.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/utils/is-vulnerable.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/event-factory.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -16,9 +16,11 @@
 'use strict';
 const { InputType, match } = require('@contrast/common');
-const annotationRegExp = /^(A|O|R|P|P\d+)$/;
+const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
+const SOURCE_EVENT_MSG = 'Source event not created: %s';
+const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     createSnapshot,
     config,
@@ -30,7 +32,7 @@ module.exports = function(core) {
   eventFactory.createdEvents = new WeakSet();
-  eventFactory.createSourceEvent = function(data = {}) {
+  eventFactory.createSourceEvent = function (data = {}) {
     const {
       name,
       result = { value: null, tracked: false },
@@ -39,31 +41,29 @@ module.exports = function(core) {
       stack,
     } = data;
-    const baseMessage = 'Source event not created: %s';
     if (!result.value) {
-      logger.debug({ result }, baseMessage, 'invalid result');
+      logger.debug({ name }, SOURCE_EVENT_MSG, 'invalid result');
       return null;
     }
     if (!name) {
-      logger.debug({ data }, baseMessage, 'invalid name');
+      logger.debug({ name }, SOURCE_EVENT_MSG, 'invalid name');
       return null;
     }
     if (!(inputType in InputType)) {
-      logger.debug({ inputType }, baseMessage, 'invalid inputType');
+      logger.debug({ name }, SOURCE_EVENT_MSG, 'invalid inputType');
       return null;
     }
     if (!tags) {
-      logger.debug({ data }, baseMessage, 'event has no tags');
+      logger.debug({ name }, SOURCE_EVENT_MSG, 'event has no tags');
       return null;
     }
     if (!stack || !Array.isArray(stack)) {
-      logger.debug({ data }, baseMessage, 'invalid stack');
+      logger.debug({ name }, SOURCE_EVENT_MSG, 'invalid stack');
       return null;
     }
@@ -73,7 +73,7 @@ module.exports = function(core) {
     return data;
   };
-  eventFactory.createPropagationEvent = function(data) {
+  eventFactory.createPropagationEvent = function (data) {
     const {
       name = '',
       moduleName,
@@ -104,20 +104,22 @@ module.exports = function(core) {
     }
     if (!name) {
-      logger.debug({ name }, 'Propagation event not created: invalid name');
+      logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid name');
       return null;
     }
     if (!history.length) {
-      logger.debug({ name, history }, 'Propagation event not created: invalid history');
+      logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid history');
       return null;
     }
-    if (
-      (!source || !match(source, annotationRegExp)) ||
-      (!target || !match(target, annotationRegExp))
-    ) {
-      logger.debug({ name, source, target }, 'Propagation event not created: %s', 'invalid source/target');
+    if (!source || !match(source, ANNOTATION_REGEX)) {
+      logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid source');
+      return null;
+    }
+    if (!target || !match(target, ANNOTATION_REGEX)) {
+      logger.debug({ name }, PROPAGATION_EVENT_MSG, 'invalid target');
       return null;
     }
@@ -152,7 +154,7 @@ module.exports = function(core) {
     return event;
   };
-  eventFactory.createSinkEvent = function(data) {
+  eventFactory.createSinkEvent = function (data) {
     const {
       context,
       name = '',
@@ -169,21 +171,21 @@ module.exports = function(core) {
     const sourceContext = sources.getStore()?.assess;
     if (!sourceContext) {
-      logger.debug('no sourceContext found during sink event creation');
+      logger.debug({ name }, 'no sourceContext found during sink event creation');
       return null;
     }
     if (!name) {
-      logger.debug({ data }, 'no sink event name');
+      logger.debug({ name }, 'no sink event name');
       return null;
     }
     if (!history.length) {
-      logger.debug({ data }, 'empty history for sink event');
+      logger.debug({ name }, 'empty history for sink event');
       return null;
     }
     if (
-      (!source || !source.match(annotationRegExp))
+      (!source || !source.match(ANNOTATION_REGEX))
     ) {
-      logger.debug({ data }, 'malformed or missing sink event source field');
+      logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
     }
@@ -214,7 +216,7 @@ module.exports = function(core) {
     return event;
   };
-  eventFactory.createSessionEvent = function(data) {
+  eventFactory.createSessionEvent = function (data) {
     const {
       context,
       name = '',
@@ -230,14 +232,14 @@ module.exports = function(core) {
     } = data;
     if (!name) {
-      logger.debug({ data }, 'no sink event name');
+      logger.debug({ name }, 'no sink event name');
       return null;
     }
     if (
-      (!source || !source.match(annotationRegExp))
+      (!source || !source.match(ANNOTATION_REGEX))
     ) {
-      logger.debug({ data }, 'malformed or missing sink event source field');
+      logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
     }
@@ -285,7 +287,7 @@ module.exports = function(core) {
    * }} data
    * @returns {any}
    */
-  eventFactory.createCryptoAnalysisEvent = function(data) {
+  eventFactory.createCryptoAnalysisEvent = function (data) {
     const {
       name = '',
       source,
@@ -293,12 +295,12 @@ module.exports = function(core) {
     } = data;
     if (!name) {
-      logger.debug({ data }, 'no sink event name');
+      logger.debug({ name }, 'no sink event name');
       return null;
     }
-    if (!source || !source.match(annotationRegExp)) {
-      logger.debug({ data }, 'malformed or missing sink event source field');
+    if (!source || !source.match(ANNOTATION_REGEX)) {
+      logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
     }

package/lib/get-policy.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/get-source-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -13,7 +13,10 @@
  * way not consistent with the End User License Agreement.
  */
 import { IncomingMessage, ServerResponse } from 'node:http';
-import { Rule } from '@contrast/common';
+import {
+  Rule,
+  SessionConfigurationRule,
+} from '@contrast/common';
 export enum InstrumentationType {
   SOURCE = 'source',
@@ -40,11 +43,22 @@ export interface RuleScopes {
   isLocked(ruleId: Rule): boolean;
 }
+export interface SessionRuleState {
+  reported: boolean,
+  valuesAnalyzed: Set<string>,
+}
+export interface RuleState {
+  [SessionConfigurationRule.HTTPONLY]?: SessionRuleState,
+  [SessionConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+}
 export interface Assess {
   getPolicy(): Policy,
   getSourceContext(instrType?: InstrumentationType, opts?: any): SourceContext,
   makeSourceContext(req: IncomingMessage, res: ServerResponse): SourceContext,
   ruleScopes: RuleScopes,
+  ruleState: RuleState,
 }
 export function getSourceContext(instrType?: InstrumentationType, ops?: any): SourceContext;

package/lib/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/make-source-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -29,6 +29,9 @@ module.exports = function(core) {
     logger,
   } = core;
+  /**
+   * @returns {import('@contrast/assess').SourceContext}
+   */
   return core.assess.makeSourceContext = function (req, res) {
     let contentType, queries, uriPath;
@@ -61,7 +64,8 @@ module.exports = function(core) {
           queries,
           contentType,
         },
-        responseData: {}
+        responseData: {},
+        ruleState: {},
       };
     } catch (err) {
       logger.error(

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/rule-scopes.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2023 Contrast Security, Inc
+ * Copyright: 2024 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial