@contrast/assess 1.27.2 → 1.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. package/lib/constants.js +3 -3
  2. package/lib/crypto-analysis/install/crypto.js +1 -1
  3. package/lib/dataflow/propagation/install/JSON/parse.js +2 -2
  4. package/lib/dataflow/propagation/install/JSON/stringify.js +10 -11
  5. package/lib/dataflow/propagation/install/array-prototype-join.js +10 -12
  6. package/lib/dataflow/propagation/install/buffer.js +3 -1
  7. package/lib/dataflow/propagation/install/contrast-methods/add.js +73 -72
  8. package/lib/dataflow/propagation/install/contrast-methods/number.js +4 -5
  9. package/lib/dataflow/propagation/install/contrast-methods/string.js +3 -2
  10. package/lib/dataflow/propagation/install/contrast-methods/tag.js +3 -6
  11. package/lib/dataflow/propagation/install/joi/boolean.js +2 -4
  12. package/lib/dataflow/propagation/install/joi/expression.js +2 -4
  13. package/lib/dataflow/propagation/install/joi/index.js +1 -1
  14. package/lib/dataflow/propagation/install/joi/number.js +2 -4
  15. package/lib/dataflow/propagation/install/joi/string-schema.js +8 -3
  16. package/lib/dataflow/propagation/install/joi/values.js +5 -1
  17. package/lib/dataflow/propagation/install/path/format.js +7 -4
  18. package/lib/dataflow/propagation/install/path/parse.js +4 -5
  19. package/lib/dataflow/propagation/install/querystring/escape.js +1 -1
  20. package/lib/dataflow/propagation/install/querystring/parse.js +6 -7
  21. package/lib/dataflow/propagation/install/querystring/stringify.js +1 -1
  22. package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +2 -3
  23. package/lib/dataflow/propagation/install/string/concat.js +22 -23
  24. package/lib/dataflow/propagation/install/string/html-methods.js +6 -7
  25. package/lib/dataflow/propagation/install/string/index.js +3 -3
  26. package/lib/dataflow/propagation/install/string/match-all.js +10 -15
  27. package/lib/dataflow/propagation/install/string/match.js +5 -4
  28. package/lib/dataflow/propagation/install/string/replace.js +22 -16
  29. package/lib/dataflow/propagation/install/string/slice.js +7 -6
  30. package/lib/dataflow/propagation/install/string/split.js +17 -16
  31. package/lib/dataflow/propagation/install/string/substring.js +9 -8
  32. package/lib/dataflow/propagation/install/string/trim.js +4 -5
  33. package/lib/dataflow/propagation/install/url/parse.js +1 -1
  34. package/lib/dataflow/propagation/install/url/searchParams.js +2 -1
  35. package/lib/dataflow/propagation/install/url/url.js +1 -1
  36. package/lib/dataflow/sinks/install/child-process.js +1 -1
  37. package/lib/dataflow/sinks/install/express/reflected-xss.js +7 -5
  38. package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +1 -2
  39. package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +1 -3
  40. package/lib/dataflow/sinks/install/fs.js +1 -1
  41. package/lib/dataflow/sinks/install/function.js +1 -1
  42. package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js +1 -2
  43. package/lib/dataflow/sinks/install/http/request.js +6 -5
  44. package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +2 -2
  45. package/lib/dataflow/sinks/install/libxmljs.js +1 -1
  46. package/lib/dataflow/sinks/install/marsdb.js +1 -2
  47. package/lib/dataflow/sinks/install/mongodb.js +46 -9
  48. package/lib/dataflow/sinks/install/mysql.js +1 -1
  49. package/lib/dataflow/sinks/install/postgres.js +1 -3
  50. package/lib/dataflow/sinks/install/sequelize.js +1 -2
  51. package/lib/dataflow/sinks/install/vm.js +1 -1
  52. package/lib/dataflow/sources/install/body-parser1.js +12 -5
  53. package/lib/dataflow/sources/install/cookie-parser1.js +4 -3
  54. package/lib/dataflow/sources/install/qs6.js +7 -5
  55. package/lib/dataflow/sources/install/querystring.js +8 -2
  56. package/lib/dataflow/tag-utils.js +22 -5
  57. package/lib/get-source-context.js +2 -1
  58. package/lib/index.js +13 -0
  59. package/lib/session-configuration/install/express-session.js +1 -3
  60. package/lib/session-configuration/install/fastify-cookie.js +1 -1
  61. package/lib/session-configuration/install/hapi.js +1 -3
  62. package/lib/session-configuration/install/koa.js +1 -1
  63. package/package.json +2 -2
package/lib/dataflow/propagation/install/querystring/parse.js CHANGED
@@ -18,12 +18,10 @@
18
18
  const querystring = require('querystring');
19
19
  const {
20
20
  DataflowTag: { URL_ENCODED },
21
- inspect,
22
21
  join
23
22
  } = require('@contrast/common');
24
-
23
+ const { createSubsetTags, createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
25
24
  const { patchType } = require('../../common');
26
- const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
27
25
 
28
26
  module.exports = function(core) {
29
27
  const {
@@ -48,10 +46,11 @@ module.exports = function(core) {
48
46
  if (!tagRanges) return result;
49
47
 
50
48
  const resultInfo = tracker.getData(result);
51
- const [, ...restOfArgsValues] = data.origArgs.map(inspect);
49
+ const [, ...restArgs] = data.origArgs.map(getAdjustedUntrackedValue);
50
+ const restArgStr = restArgs.length ? `,${join(restArgs)}` : '';
52
51
  const event = createPropagationEvent({
53
52
  name: data.name,
54
- context: `querystring.parse('${trackingData.value}', ${join(restOfArgsValues, ', ')})`,
53
+ context: `querystring.parse('${trackingData.value}'${restArgStr})`,
55
54
  moduleName: 'querystring',
56
55
  methodName: 'parse',
57
56
  history: [trackingData],
@@ -60,7 +59,7 @@ module.exports = function(core) {
60
59
  tracked: true,
61
60
  },
62
61
  args: data.origArgs.map((_arg, idx) => ({
63
- value: idx === 0 ? trackingData.value : restOfArgsValues[idx - 1],
62
+ value: idx === 0 ? trackingData.value : restArgs[idx - 1],
64
63
  tracked: !!idx === 0
65
64
  })).filter(el => el),
66
65
  result: {
@@ -116,7 +115,7 @@ module.exports = function(core) {
116
115
  }
117
116
 
118
117
  data.idx = 0;
119
- data.origArgs = data.args;
118
+ data.origArgs = [...data.args];
120
119
  data.trackingData = trackingData;
121
120
 
122
121
  data.args[3] = {
package/lib/dataflow/propagation/install/querystring/stringify.js CHANGED
@@ -15,7 +15,6 @@
15
15
  'use strict';
16
16
 
17
17
  const querystring = require('querystring');
18
- const { inspect } = require('util');
19
18
  const { isString } = require('@contrast/common');
20
19
  const utils = require('../../../tag-utils');
21
20
  const { patchType } = require('../../common');
@@ -25,6 +24,7 @@ const moduleName = 'querystring';
25
24
  module.exports = function(core) {
26
25
  const {
27
26
  assess: {
27
+ inspect, // todo: remove
28
28
  dataflow: { tracker },
29
29
  eventFactory: { createPropagationEvent },
30
30
  },
package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED
@@ -14,8 +14,7 @@
14
14
  */
15
15
 
16
16
  'use strict';
17
- const { inspect } = require('@contrast/common');
18
- const { createSubsetTags } = require('../../tag-utils');
17
+ const { createSubsetTags, getAdjustedUntrackedValue } = require('../../tag-utils');
19
18
  const { patchType } = require('../common');
20
19
 
21
20
  module.exports = function(core) {
@@ -58,7 +57,7 @@ module.exports = function(core) {
58
57
  ],
59
58
  tags,
60
59
  result: {
61
- value: inspect(untrackedResult),
60
+ value: getAdjustedUntrackedValue(untrackedResult),
62
61
  tracked: false,
63
62
  },
64
63
  stacktraceOpts: {
package/lib/dataflow/propagation/install/string/concat.js CHANGED
@@ -15,17 +15,16 @@
15
15
 
16
16
  'use strict';
17
17
 
18
- const {
19
- createAppendTags
20
- } = require('../../../tag-utils');
21
- const { join, inspect } = require('@contrast/common');
18
+ const { join } = require('@contrast/common');
19
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
20
+ const { createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
22
21
  const { patchType } = require('../../common');
23
22
 
24
23
  module.exports = function(core) {
25
24
  const {
26
- scopes: { sources, instrumentation },
27
25
  patcher,
28
26
  assess: {
27
+ getSourceContext,
29
28
  eventFactory: { createPropagationEvent },
30
29
  dataflow: { tracker }
31
30
  }
@@ -39,8 +38,8 @@ module.exports = function(core) {
39
38
  name,
40
39
  patchType,
41
40
  post(data) {
42
- const { args, obj, result, hooked, orig } = data;
43
- if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
41
+ const { obj, result, hooked, orig } = data;
42
+ if (!result || !getSourceContext(PROPAGATOR)) return;
44
43
 
45
44
  const rInfo = tracker.getData(result);
46
45
  if (rInfo) {
@@ -48,45 +47,45 @@ module.exports = function(core) {
48
47
  return;
49
48
  }
50
49
 
51
- const argsData = [];
52
50
  const objInfo = tracker.getData(obj);
53
51
  const history = objInfo ? new Set([objInfo]) : new Set();
54
- const newTags = { ...objInfo?.tags };
55
52
  let globalOffset = typeof obj !== 'function' ? obj.length : 0;
53
+ const args = [];
54
+ let tags = objInfo?.tags;
56
55
 
57
- for (const str of args) {
58
- const strInfo = tracker.getData(str);
56
+ for (const arg of data.args) {
57
+ const strInfo = tracker.getData(arg);
59
58
 
60
59
  if (strInfo) {
61
- const strTags = strInfo?.tags || {};
60
+ args.push({ tracked: true, value: arg });
62
61
  history.add(strInfo);
63
- Object.assign(newTags, createAppendTags(newTags, strTags, globalOffset));
62
+ tags = createAppendTags(tags, strInfo.tags, globalOffset);
63
+ } else {
64
+ args.push({ tracked: false, value: getAdjustedUntrackedValue(arg) });
64
65
  }
65
66
 
66
- argsData.push({
67
- value: strInfo?.value ?? str,
68
- tracked: !!strInfo
69
- });
70
-
71
- globalOffset += `${str}`.length;
67
+ globalOffset += `${arg}`.length;
72
68
  }
73
69
 
70
+ const objVal = objInfo ? `'${objInfo.value}'` : getAdjustedUntrackedValue(obj);
71
+ const context = `${objVal}.concat(${join(args.map((a) => a.value))})`;
72
+
74
73
  if (history.size) {
75
74
  const event = createPropagationEvent({
76
75
  name,
77
76
  moduleName: 'String',
78
77
  methodName: 'prototype.concat',
79
- context: `${inspect(objInfo?.value) || String(obj)}.concat(${inspect(join(argsData.map(d => d.value)), ', ')})`,
78
+ context,
80
79
  object: {
81
- value: objInfo?.value || String(obj),
80
+ value: objInfo?.value ?? getAdjustedUntrackedValue(obj),
82
81
  tracked: !!objInfo
83
82
  },
84
83
  result: {
85
84
  value: result,
86
85
  tracked: true
87
86
  },
88
- args: argsData,
89
- tags: newTags,
87
+ args,
88
+ tags,
90
89
  history: Array.from(history),
91
90
  source: objInfo ? (history.size > 1 ? 'A' : 'O') : 'P',
92
91
  target: 'R',
package/lib/dataflow/propagation/install/string/html-methods.js CHANGED
@@ -15,10 +15,8 @@
15
15
 
16
16
  'use strict';
17
17
 
18
- const {
19
- createAppendTags
20
- } = require('../../../tag-utils');
21
- const { inspect } = require('@contrast/common');
18
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
19
+ const { createAppendTags } = require('../../../tag-utils');
22
20
  const { patchType } = require('../../common');
23
21
  const htmlTagsLengths = {
24
22
  anchor: 11,
@@ -33,9 +31,10 @@ const htmlTagsLengths = {
33
31
 
34
32
  module.exports = function(core) {
35
33
  const {
36
- scopes: { sources, instrumentation },
37
34
  patcher,
38
35
  assess: {
36
+ inspect, // todo: remove
37
+ getSourceContext,
39
38
  eventFactory: { createPropagationEvent },
40
39
  dataflow: { tracker }
41
40
  }
@@ -65,7 +64,7 @@ module.exports = function(core) {
65
64
  patchType,
66
65
  post(data) {
67
66
  const { args, obj, result, hooked, orig } = data;
68
- if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
67
+ if (!result || !getSourceContext(PROPAGATOR)) return;
69
68
 
70
69
  const objInfo = tracker.getData(obj);
71
70
  const history = objInfo ? new Set([objInfo]) : new Set();
@@ -122,7 +121,7 @@ module.exports = function(core) {
122
121
  patchType,
123
122
  post(data) {
124
123
  const { obj, result, hooked, orig } = data;
125
- if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
124
+ if (!result || !getSourceContext(PROPAGATOR)) return;
126
125
 
127
126
  const objInfo = tracker.getData(obj);
128
127
 
package/lib/dataflow/propagation/install/string/index.js CHANGED
@@ -15,8 +15,8 @@
15
15
 
16
16
  'use strict';
17
17
 
18
- const { callChildComponentMethodsSync } = require('@contrast/common');
19
- const { inspect, split } = require('@contrast/common');
18
+ const { callChildComponentMethodsSync, split } = require('@contrast/common');
19
+ const { getAdjustedUntrackedValue } = require('../../../tag-utils');
20
20
 
21
21
  module.exports = function(core) {
22
22
  const {
@@ -55,7 +55,7 @@ module.exports = function(core) {
55
55
  ) return;
56
56
 
57
57
  const args = [{
58
- value: inspect(methodArg),
58
+ value: getAdjustedUntrackedValue(methodArg),
59
59
  tracked: false
60
60
  }];
61
61
 
package/lib/dataflow/propagation/install/string/match-all.js CHANGED
@@ -14,15 +14,16 @@
14
14
  */
15
15
 
16
16
  'use strict';
17
- const { inspect } = require('@contrast/common');
18
- const { patchType } = require('../../common');
17
+
18
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
19
19
  const { createSubsetTags } = require('../../../tag-utils');
20
+ const { patchType } = require('../../common');
20
21
 
21
22
  module.exports = function(core) {
22
23
  const {
23
- scopes: { sources, instrumentation },
24
24
  patcher,
25
25
  assess: {
26
+ getSourceContext,
26
27
  eventFactory: { createPropagationEvent },
27
28
  dataflow: {
28
29
  tracker,
@@ -55,15 +56,10 @@ module.exports = function(core) {
55
56
  value: objInfo.value,
56
57
  tracked: true,
57
58
  },
58
- args: [
59
- {
60
- value: arg,
61
- tracked: false,
62
- },
63
- ],
59
+ args: [{ tracked: false, value: arg }],
64
60
  tags,
65
61
  result: {
66
- value: inspect(untrackedResult),
62
+ value: '[RegExp String Iterator] {}',
67
63
  tracked: false,
68
64
  },
69
65
  stacktraceOpts: {
@@ -75,7 +71,7 @@ module.exports = function(core) {
75
71
  });
76
72
  }
77
73
 
78
- return (stringInstrumentation.matchAll = {
74
+ return stringInstrumentation.matchAll = {
79
75
  install() {
80
76
  patcher.patch(String.prototype, 'matchAll', {
81
77
  name,
@@ -87,8 +83,7 @@ module.exports = function(core) {
87
83
  !obj ||
88
84
  !args[0] ||
89
85
  typeof obj !== 'string' ||
90
- !sources.getStore()?.assess ||
91
- instrumentation.isLocked()
86
+ !getSourceContext(PROPAGATOR)
92
87
  )
93
88
  return origFn();
94
89
 
@@ -131,7 +126,7 @@ module.exports = function(core) {
131
126
  resValue.indices && (untrackedResult.indices = resValue.indices);
132
127
 
133
128
  let searchIdx = resValue.index;
134
- const metadata = { arg: inspect(args[0]), hooked, orig };
129
+ const metadata = { arg: `${args[0]}`, hooked, orig };
135
130
 
136
131
  for (let i = 0; i < resValue.length; i++) {
137
132
  let match = resValue[i];
@@ -233,5 +228,5 @@ module.exports = function(core) {
233
228
  uninstall() {
234
229
  String.prototype.matchAll = patcher.unwrap(String.prototype.matchAll);
235
230
  },
236
- });
231
+ };
237
232
  };
package/lib/dataflow/propagation/install/string/match.js CHANGED
@@ -14,9 +14,9 @@
14
14
  */
15
15
 
16
16
  'use strict';
17
- const { join, inspect } = require('@contrast/common');
17
+ const { join } = require('@contrast/common');
18
18
  const { patchType } = require('../../common');
19
- const { createSubsetTags } = require('../../../tag-utils');
19
+ const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
20
20
 
21
21
  module.exports = function(core) {
22
22
  const {
@@ -36,13 +36,14 @@ module.exports = function(core) {
36
36
  function getPropagationEvent(data, res, objInfo, start) {
37
37
  const { args: origArgs, result, hooked, orig } = data;
38
38
  const tags = createSubsetTags(objInfo.tags, start, res.length);
39
+
39
40
  if (!tags) return;
40
41
 
41
42
  const args = [
42
43
  {
43
- value: inspect(origArgs[0]),
44
+ value: getAdjustedUntrackedValue(origArgs[0]),
44
45
  tracked: false,
45
- },
46
+ }
46
47
  ];
47
48
 
48
49
  return createPropagationEvent({
package/lib/dataflow/propagation/install/string/replace.js CHANGED
@@ -18,20 +18,25 @@
18
18
  const {
19
19
  DataflowTag: { UNTRUSTED },
20
20
  match: origMatch,
21
+ join,
21
22
  substring
22
23
  } = require('@contrast/common');
23
- const { inspect, join } = require('@contrast/common');
24
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
25
+ const {
26
+ createSubsetTags,
27
+ createAppendTags,
28
+ getAdjustedUntrackedValue
29
+ } = require('../../../tag-utils');
24
30
  const { patchType } = require('../../common');
25
- const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
26
31
 
27
32
  module.exports = function(core) {
28
33
  const {
29
34
  patcher,
30
35
  assess: {
36
+ getSourceContext,
31
37
  eventFactory: { createPropagationEvent },
32
38
  dataflow: { tracker }
33
39
  },
34
- scopes: { sources, instrumentation }
35
40
  } = core;
36
41
 
37
42
  function parseArgs(args) {
@@ -141,7 +146,7 @@ module.exports = function(core) {
141
146
  name,
142
147
  patchType,
143
148
  pre(data) {
144
- if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
149
+ if (!getSourceContext(PROPAGATOR)) return;
145
150
 
146
151
  // setup state
147
152
  data._objInfo = tracker.getData(data.obj);
@@ -155,8 +160,6 @@ module.exports = function(core) {
155
160
  },
156
161
  post(data) {
157
162
  if (
158
- !sources.getStore()?.assess ||
159
- instrumentation.isLocked() ||
160
163
  !data.result ||
161
164
  // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
162
165
  !data._accumTags?.[UNTRUSTED] ||
@@ -167,21 +170,24 @@ module.exports = function(core) {
167
170
  return;
168
171
  }
169
172
 
170
- const { _replacementInfo, obj, args: origArgs, result, hooked, orig } = data;
171
- const args = [{
172
- value: inspect(origArgs[0]),
173
- tracked: !!tracker.getData(origArgs[0])
174
- },
175
- {
176
- value: data._replacement,
177
- tracked: !!_replacementInfo
178
- }];
173
+ const { obj, args: origArgs, result, hooked, orig } = data;
174
+ const args = [];
175
+ if (tracker.getData(origArgs[0])) {
176
+ args.push({ tracked: true, value: origArgs[0] });
177
+ } else {
178
+ args.push({ tracked: false, value: getAdjustedUntrackedValue(origArgs[0]) });
179
+ }
180
+ if (data._replacement) {
181
+ args.push({ tracked: true, value: data._replacement });
182
+ } else {
183
+ args.push({ tracked: false, value: getAdjustedUntrackedValue(data._replacement) });
184
+ }
179
185
 
180
186
  const event = createPropagationEvent({
181
187
  name,
182
188
  moduleName: 'String',
183
189
  methodName: 'prototype.replace',
184
- context: `'${obj}'.replace(${join(args.map(a => a.value), ', ')})`,
190
+ context: `'${obj}'.replace(${join(args.map(a => a.value))})`,
185
191
  history: Array.from(data._history),
186
192
  object: {
187
193
  value: obj,
package/lib/dataflow/propagation/install/string/slice.js CHANGED
@@ -13,15 +13,16 @@
13
13
  * way not consistent with the End User License Agreement.
14
14
  */
15
15
  'use strict';
16
+ const { join } = require('@contrast/common');
17
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
18
+ const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
16
19
  const { patchType } = require('../../common');
17
- const { inspect, join } = require('@contrast/common');
18
- const { createSubsetTags } = require('../../../tag-utils');
19
20
 
20
21
  module.exports = function(core) {
21
22
  const {
22
- scopes: { sources, instrumentation },
23
23
  patcher,
24
24
  assess: {
25
+ getSourceContext,
25
26
  eventFactory: { createPropagationEvent },
26
27
  dataflow: { tracker }
27
28
  }
@@ -55,7 +56,7 @@ module.exports = function(core) {
55
56
  patchType,
56
57
  post(data) {
57
58
  const { name, args: origArgs, obj, result, hooked, orig } = data;
58
- if (!result || !sources.getStore() || instrumentation.isLocked()) return;
59
+ if (!result || !getSourceContext(PROPAGATOR)) return;
59
60
 
60
61
  const objInfo = tracker.getData(obj);
61
62
  if (!objInfo) return;
@@ -71,8 +72,8 @@ module.exports = function(core) {
71
72
  if (!tags) return;
72
73
 
73
74
  const args = origArgs.map((arg) => ({
74
- value: inspect(arg),
75
- tracked: false
75
+ tracked: false,
76
+ value: getAdjustedUntrackedValue(arg)
76
77
  }));
77
78
 
78
79
  const event = createPropagationEvent({
package/lib/dataflow/propagation/install/string/split.js CHANGED
@@ -15,16 +15,16 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const { join } = require('@contrast/common');
19
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
20
+ const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
18
21
  const { patchType } = require('../../common');
19
- const { join, inspect } = require('@contrast/common');
20
- const { createSubsetTags } = require('../../../tag-utils');
21
-
22
22
 
23
23
  module.exports = function(core) {
24
24
  const {
25
- scopes: { sources, instrumentation },
26
25
  patcher,
27
26
  assess: {
27
+ getSourceContext,
28
28
  eventFactory,
29
29
  dataflow: { tracker }
30
30
  }
@@ -44,10 +44,9 @@ module.exports = function(core) {
44
44
  !result ||
45
45
  origArgs.length === 0 ||
46
46
  result.length === 0 ||
47
- !sources.getStore() ||
48
47
  typeof obj !== 'string' ||
49
- instrumentation.isLocked() ||
50
- (origArgs.length === 1 && origArgs[0] == null)
48
+ (origArgs.length === 1 && origArgs[0] == null) ||
49
+ !getSourceContext(PROPAGATOR)
51
50
  ) return;
52
51
 
53
52
  const objInfo = tracker.getData(obj);
@@ -55,17 +54,16 @@ module.exports = function(core) {
55
54
 
56
55
  const args = origArgs.map((arg) => {
57
56
  const argInfo = tracker.getData(arg);
58
- return {
59
- value: argInfo ? argInfo.value : inspect(arg),
60
- tracked: !!argInfo
61
- };
57
+ return argInfo ?
58
+ { tracked: true, value: argInfo.value } :
59
+ { tracked: false, value: `'${arg}'` };
62
60
  });
63
61
 
64
62
  const event = eventFactory.createPropagationEvent({
65
63
  name,
66
64
  moduleName: 'String',
67
65
  methodName: 'prototype.split',
68
- context: `'${objInfo.value}'.split(${join(args.map(a => a.value), ', ')})`,
66
+ context: `'${objInfo.value}'.split(${join(args.map(a => a.value))})`,
69
67
  history: [objInfo],
70
68
  object: {
71
69
  value: obj,
@@ -74,7 +72,7 @@ module.exports = function(core) {
74
72
  args,
75
73
  tags: {},
76
74
  result: {
77
- value: join(result),
75
+ value: getAdjustedUntrackedValue(result),
78
76
  tracked: false
79
77
  },
80
78
  stacktraceOpts: {
@@ -96,9 +94,13 @@ module.exports = function(core) {
96
94
  const objSubstrInfo = tracker.getData(objSubstr);
97
95
  if (objSubstrInfo) {
98
96
  const tags = createSubsetTags(objInfo.tags, start, res.length);
99
- if (!tags) continue;
100
97
 
101
- const metadata = { ...event, tags };
98
+ if (!tags) continue;
99
+ const metadata = {
100
+ ...event,
101
+ result: { tracked: true, value: res },
102
+ tags,
103
+ };
102
104
  eventFactory.createdEvents.add(metadata);
103
105
  const { extern } = tracker.track(res, metadata);
104
106
 
@@ -115,4 +117,3 @@ module.exports = function(core) {
115
117
  },
116
118
  };
117
119
  };
118
-
package/lib/dataflow/propagation/install/string/substring.js CHANGED
@@ -15,15 +15,16 @@
15
15
 
16
16
  'use strict';
17
17
 
18
- const { createSubsetTags } = require('../../../tag-utils');
19
- const { join, inspect } = require('@contrast/common');
18
+ const { join } = require('@contrast/common');
19
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
20
+ const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
20
21
  const { patchType } = require('../../common');
21
22
 
22
23
  module.exports = function(core) {
23
24
  const {
24
- scopes: { sources, instrumentation },
25
25
  patcher,
26
26
  assess: {
27
+ getSourceContext,
27
28
  eventFactory: { createPropagationEvent },
28
29
  dataflow: { tracker }
29
30
  }
@@ -63,7 +64,7 @@ module.exports = function(core) {
63
64
  patchType,
64
65
  post(data) {
65
66
  const { obj, args: origArgs, result, name, hooked, orig } = data;
66
- if (!result || !sources.getStore()?.assess || instrumentation.isLocked()) return;
67
+ if (!result || !getSourceContext(PROPAGATOR)) return;
67
68
 
68
69
  const objInfo = tracker.getData(obj);
69
70
  if (!objInfo) return;
@@ -81,14 +82,15 @@ module.exports = function(core) {
81
82
  if (!tags) return;
82
83
 
83
84
  const args = origArgs.map((arg) => ({
84
- value: inspect(arg),
85
- tracked: false
85
+ tracked: false,
86
+ value: getAdjustedUntrackedValue(arg)
86
87
  }));
88
+
87
89
  const event = createPropagationEvent({
88
90
  name,
89
91
  moduleName: 'String',
90
92
  methodName: 'prototype.substring',
91
- context: `'${objInfo.value}'.substring(${join(args.map(a => a.value), ', ')})`,
93
+ context: `'${objInfo.value}'.substring(${join(args.map(a => a.value))})`,
92
94
  history: [objInfo],
93
95
  object: {
94
96
  value: obj,
@@ -125,4 +127,3 @@ module.exports = function(core) {
125
127
  },
126
128
  };
127
129
  };
128
-
package/lib/dataflow/propagation/install/string/trim.js CHANGED
@@ -15,16 +15,15 @@
15
15
 
16
16
  'use strict';
17
17
 
18
- const {
19
- createSubsetTags,
20
- } = require('../../../tag-utils');
18
+ const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
19
+ const { createSubsetTags } = require('../../../tag-utils');
21
20
  const { patchType } = require('../../common');
22
21
 
23
22
  module.exports = function(core) {
24
23
  const {
25
- scopes: { sources, instrumentation },
26
24
  patcher,
27
25
  assess: {
26
+ getSourceContext,
28
27
  eventFactory: { createPropagationEvent },
29
28
  dataflow: { tracker }
30
29
  }
@@ -34,7 +33,7 @@ module.exports = function(core) {
34
33
  return function(data) {
35
34
  const { obj, result, hooked, orig } = data;
36
35
 
37
- if (!result?.length || !sources.getStore()?.assess || instrumentation.isLocked()) {
36
+ if (!result?.length || !getSourceContext(PROPAGATOR)) {
38
37
  return;
39
38
  }
40
39
  const rInfo = tracker.getData(result);
package/lib/dataflow/propagation/install/url/parse.js CHANGED
@@ -16,7 +16,6 @@
16
16
  'use strict';
17
17
 
18
18
  const { patchType } = require('../../common');
19
- const { inspect } = require('@contrast/common');
20
19
 
21
20
  module.exports = function(core) {
22
21
  const {
@@ -24,6 +23,7 @@ module.exports = function(core) {
24
23
  patcher,
25
24
  depHooks,
26
25
  assess: {
26
+ inspect, // todo: remove
27
27
  eventFactory: { createPropagationEvent },
28
28
  dataflow: { tracker }
29
29
  }
package/lib/dataflow/propagation/install/url/searchParams.js CHANGED
@@ -16,7 +16,7 @@
16
16
  'use strict';
17
17
 
18
18
  const { patchType } = require('../../common');
19
- const { inspect, isString } = require('@contrast/common');
19
+ const { isString } = require('@contrast/common');
20
20
 
21
21
  module.exports = function(core) {
22
22
  const {
@@ -24,6 +24,7 @@ module.exports = function(core) {
24
24
  patcher,
25
25
  depHooks,
26
26
  assess: {
27
+ inspect, // todo: remove
27
28
  eventFactory: { createPropagationEvent },
28
29
  dataflow: { tracker }
29
30
  }