npm - @contrast/assess - Versions diffs - 1.27.2 → 1.28.1 - Mend

@contrast/assess 1.27.2 → 1.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/lib/constants.js CHANGED Viewed

@@ -16,9 +16,9 @@
 'use strict';
 const InstrumentationType = {
-  SOURCE: 'source',
-  PROPAGATOR: 'propagator',
-  RULE: 'rule',
+  SOURCE: 'SOURCE',
+  PROPAGATOR: 'PROPAGATOR',
+  RULE: 'RULE',
 };
 module.exports = {

package/lib/crypto-analysis/install/crypto.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { inspect } = require('util');
 const {
   Rule,
   isString,
@@ -54,6 +53,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory,
       cryptoAnalysis,
       getSourceContext,

package/lib/dataflow/propagation/install/JSON/parse.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const { getKeyValueIndices } = require('./parse-fn');
@@ -75,7 +75,7 @@ module.exports = function (core) {
       moduleName: 'JSON',
       methodName: 'parse',
       object: {
-        value: inspect(data.obj),
+        value: 'JSON',
         tracked: false,
       },
       args: eventArgs,

package/lib/dataflow/propagation/install/JSON/stringify.js CHANGED Viewed

@@ -15,12 +15,10 @@
 'use strict';
-const {
-  createMergedTags
-} = require('../../../tag-utils');
-const { isString, inspect, replace, match, matchAll, slice } = require('@contrast/common');
-const { patchType } = require('../../common');
 const crypto = require('crypto');
+const { isString, replace, match, matchAll, slice } = require('@contrast/common');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 function makeCanary() {
   return replace(
@@ -88,7 +86,6 @@ module.exports = function(core) {
       return null;
     }
     const props = tracker.getData(slice(space, 0, 10));
     if (!props || !Object.keys(props.tags).length) {
       return null;
@@ -246,21 +243,23 @@ module.exports = function(core) {
             methodName: 'stringify',
             history: Array.from(metadata.history),
             object: {
-              value: inspect(data.obj),
+              value: 'JSON',
               tracked: false
             },
             args: [
               {
-                value: inspect(metadata.origArgs[0]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[0]),
                 tracked: false
               },
               (metadata.origArgs[1] && {
-                value: inspect(metadata.origArgs[1]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[1]),
                 tracked: false
               }),
               (metadata.origArgs[2] && {
-                value: inspect(metadata.origArgs[2]),
-                tracked: !!metadata.spaceProps
+                tracked: !!metadata.spaceProps,
+                value: metadata.spaceProps ?
+                  `'${metadata.origArgs[2]}'` :
+                  getAdjustedUntrackedValue(metadata.origArgs[2]),
               })
             ].filter(Boolean),
             result: {

package/lib/dataflow/propagation/install/array-prototype-join.js CHANGED Viewed

@@ -15,17 +15,16 @@
 'use strict';
-const {
-  createAppendTags
-} = require('../../tag-utils');
+const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
-const { isString, join, inspect } = require('@contrast/common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -71,7 +70,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args: origArgs, obj, result, hooked, orig } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !(getSourceContext(PROPAGATOR))) return;
           const resultInfo = tracker.getData(result);
           const delimiter = origArgs[0] === undefined ? ',' : origArgs[0];
@@ -79,10 +78,6 @@ module.exports = function(core) {
           const delimiterInfo = tracker.getData(delimiter);
           const initHistory = delimiterInfo ? new Set([delimiterInfo]) : new Set();
           const { newTags, newHistory: history } = accumulateTags(obj, {}, 0, initHistory, delimiterLength, delimiterInfo?.tags);
-          const object = {
-            value: obj && join(obj),
-            tracked: false
-          };
           const args = [{
             value: delimiterInfo ? delimiterInfo.value : delimiter,
@@ -94,8 +89,11 @@ module.exports = function(core) {
               name,
               moduleName: 'Array',
               methodName: 'prototype.join',
-              context: `${object.value}.join('${inspect(args[0].value) || ''})`,
-              object,
+              context: `[...].join('${args[0].value || ''}')`,
+              object: {
+                value: 'Array',
+                tracked: false
+              },
               result: {
                 value: resultInfo ? resultInfo.value : result,
                 tracked: true

package/lib/dataflow/propagation/install/buffer.js CHANGED Viewed

@@ -14,11 +14,13 @@
  */
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { patchType } = require('../common');
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory,
       dataflow: { tracker }
     },
@@ -35,7 +37,7 @@ module.exports = function(core) {
         post(data) {
           const { hooked, obj, orig, result } = data;
-          if (!result) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
           const bufferInfo = tracker.getData(obj);
           if (!bufferInfo) {

package/lib/dataflow/propagation/install/contrast-methods/add.js CHANGED Viewed

@@ -15,103 +15,104 @@
 'use strict';
-const util = require('util');
-const {
-  createAppendTags
-} = require('../../../tag-utils');
-const { patchType } = require('../../common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createAppendTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
-    scopes: { instrumentation, sources },
-    patcher,
     assess: {
+      inspect,
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
-  const inspect = patcher.unwrap(util.inspect);
+  const origSym = Symbol('ContrastMethods.add.orig');
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {
     install() {
-      patcher.patch(global.ContrastMethods, 'add', {
-        name: 'ContrastMethods.add',
-        patchType,
-        post(data) {
-          const { args, result, hooked } = data;
-          if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+      // + is fast and typically called often. therefore we patch ContrastMethods.add
+      // manually instead of using patcher. this propagator is the only
+      // patch for it, so we don't have to worry about managing patch execution order
+      // (which patcher would do).
+      const { add } = global.ContrastMethods;
+      global.ContrastMethods.add = function(...args) {
+        // first get result, then following logic acts as post-hook in patcher speak
+        const result = add(...args);
-          const rInfo = tracker.getData(result);
-          if (rInfo) {
-            // this may happen w/ '' + 'tracked' => 'tracked'
-            return;
-          }
+        if (!result || !getSourceContext(PROPAGATOR)) return result;
-          const leftStringInfo = tracker.getData(args[0]);
-          const rightStringInfo = tracker.getData(args[1]);
+        const rInfo = tracker.getData(result);
+        if (rInfo) {
+          // this may happen w/ '' + 'tracked' => 'tracked'
+          return result;
+        }
-          let newTags = {};
-          const history = [];
+        const leftStringInfo = tracker.getData(args[0]);
+        const rightStringInfo = tracker.getData(args[1]);
-          if (leftStringInfo) {
-            history.push(leftStringInfo);
-            newTags = leftStringInfo.tags || {};
-          }
+        let newTags = {};
+        const history = [];
-          if (rightStringInfo) {
-            history.push(rightStringInfo);
-            newTags = createAppendTags(newTags, rightStringInfo.tags, args[0].length);
-          }
+        if (leftStringInfo) {
+          history.push(leftStringInfo);
+          newTags = leftStringInfo.tags || {};
+        }
-          if (history.length) {
-            const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
-            const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
-            const event = createPropagationEvent({
-              args: [
-                {
-                  tracked: !!leftStringInfo,
-                  value: leftArg
-                },
-                {
-                  tracked: !!rightStringInfo,
-                  value: rightArg,
-                }
-              ],
-              context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
-              moduleName: 'global',
-              methodName: 'ContrastMethods.add',
-              history,
-              object: {
-                value: 'String Addition',
-                tracked: false
-              },
-              name: 'ContrastMethods.add',
-              result: {
-                value: result,
-                tracked: true
-              },
-              source: 'P',
-              stacktraceOpts: {
-                constructorOpt: hooked,
-              },
-              tags: newTags,
-              target: 'R',
-            });
+        if (rightStringInfo) {
+          history.push(rightStringInfo);
+          newTags = createAppendTags(newTags, rightStringInfo.tags, args[0].length);
+        }
-            if (!event) return;
+        if (history.length) {
+          const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
+          const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
+          const event = createPropagationEvent({
+            args: [
+              {
+                tracked: !!leftStringInfo,
+                value: leftArg
+              },
+              {
+                tracked: !!rightStringInfo,
+                value: rightArg,
+              }
+            ],
+            context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
+            moduleName: 'global',
+            methodName: 'ContrastMethods.add',
+            history,
+            object: {
+              value: 'String Addition',
+              tracked: false
+            },
+            name: 'ContrastMethods.add',
+            result: {
+              value: result,
+              tracked: true
+            },
+            source: 'P',
+            stacktraceOpts: {
+              constructorOpt: add,
+            },
+            tags: newTags,
+            target: 'R',
+          });
+          if (event) {
             const { extern } = tracker.track(result, event);
-            if (extern) {
-              data.result = extern;
-            }
+            if (extern) return extern;
           }
         }
-      });
+        return result;
+      };
+      global.ContrastMethods.add[origSym] = add;
     },
     uninstall() {
-      global.ContrastMethods.add = patcher.unwrap(global.ContrastMethods.add);
+      const orig = global.ContrastMethods.add[origSym];
+      if (orig) global.ContrastMethods.add = orig;
     },
   };
 };

package/lib/dataflow/propagation/install/contrast-methods/number.js CHANGED Viewed

@@ -16,14 +16,15 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function (core) {
   const {
     logger,
-    scopes: { instrumentation, sources },
     patcher,
     assess: {
+      getSourceContext,
       dataflow: { tracker }
     }
   } = core;
@@ -38,13 +39,11 @@ module.exports = function (core) {
         post(data) {
           const { args: [value], result } = data;
           if (
+            !tracker.getData(value) ||
             isNaN(result) ||
             !value ||
             !isString(value) ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked() ||
-            // why not just do this first? won't need check for NaN, !value, !isString, etc.
-            !tracker.getData(value)
+            !getSourceContext(PROPAGATOR)
           ) return;
           tracker.untrack(value);

package/lib/dataflow/propagation/install/contrast-methods/string.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { DataflowTag } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 function metadataUpdate(strInfo, event) {
@@ -29,9 +30,9 @@ function metadataUpdate(strInfo, event) {
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     }
@@ -44,7 +45,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          if (!data.result || !sources.getStore() || instrumentation.isLocked()) return;
+          if (!data.result || !getSourceContext(PROPAGATOR)) return;
           const arg = data.args[0];
           let argInfo = tracker.getData(arg);

package/lib/dataflow/propagation/install/contrast-methods/tag.js CHANGED Viewed

@@ -15,16 +15,17 @@
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
     patcher,
-    scopes: { sources, instrumentation },
   } = core;
   const tag = {
@@ -33,11 +34,7 @@ module.exports = function(core) {
         name: 'ContrastMethods.tag',
         patchType,
         post(data) {
-          if (
-            !data.result ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
-          ) {
+          if (!data.result || !getSourceContext(PROPAGATOR)) {
             return;
           }

package/lib/dataflow/propagation/install/joi/boolean.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { ALPHANUM_SPACE_HYPHEN },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { ALPHANUM_SPACE_HYPHEN } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/expression.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/index.js CHANGED Viewed

@@ -20,7 +20,6 @@ const {
   isString,
   isNonEmptyObject,
   traverseValues,
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { tagCustomValidatedString, handleReferences } = require('./utils');
@@ -30,6 +29,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/number.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { LIMITED_CHARS },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { LIMITED_CHARS } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/string-schema.js CHANGED Viewed

@@ -16,12 +16,16 @@
 'use strict';
 const {
-  DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
-  inspect,
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+    STRING_TYPE_CHECKED
+  },
 } = require('@contrast/common');
-const { handleReferences } = require('./utils');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
+const { handleReferences } = require('./utils');
 const VALIDATORS = {
   base64: ALPHANUM_SPACE_HYPHEN,
   guid: ALPHANUM_SPACE_HYPHEN,
@@ -42,6 +46,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker, propagation: {

package/lib/dataflow/propagation/install/joi/values.js CHANGED Viewed

@@ -16,7 +16,10 @@
 'use strict';
 const {
-  isNonEmptyObject, isString, inspect, traverseValues, join
+  isNonEmptyObject,
+  isString,
+  join,
+  traverseValues,
 } = require('@contrast/common');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -27,6 +30,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/path/format.js CHANGED Viewed

@@ -14,9 +14,9 @@
  */
 'use strict';
+const { join, isString } = require('@contrast/common');
 const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
-const { createMergedTags } = require('../../../tag-utils');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const {
   createArgTagsInResult,
   excludeExtensionDotFromTags
@@ -65,7 +65,10 @@ module.exports = function(core) {
                 let newTags = {};
                 const propInfo = isString(prop) && tracker.getData(prop);
                 if (!propInfo) {
-                  eventArgs.unshift({ value: prop, tracked: false });
+                  eventArgs.unshift({
+                    value: getAdjustedUntrackedValue(prop),
+                    tracked: false
+                  });
                   continue;
                 }
@@ -95,7 +98,7 @@ module.exports = function(core) {
                 name: patchName,
                 moduleName: 'path',
                 methodName: 'format',
-                context: `path.format('${inspect(...args)}')`,
+                context: `path.format(${join(eventArgs.map((a) => a.value))})`,
                 history,
                 object: {
                   value: 'path',

package/lib/dataflow/propagation/install/path/parse.js CHANGED Viewed

@@ -14,12 +14,10 @@
  */
 'use strict';
-const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
-const {
-  excludeExtensionDotFromTags
-} = require('./common');
+const { patchType } = require('../../common');
+const { excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
@@ -27,6 +25,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/querystring/escape.js CHANGED Viewed

@@ -14,7 +14,6 @@
  */
 'use strict';
-const { inspect } = require('util');
 const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -22,6 +21,7 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },