npm - @contrast/assess - Versions diffs - 1.28.0 → 1.28.1 - Mend

@contrast/assess 1.28.0 → 1.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/lib/crypto-analysis/install/crypto.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { inspect } = require('util');
 const {
   Rule,
   isString,
@@ -54,6 +53,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory,
       cryptoAnalysis,
       getSourceContext,

package/lib/dataflow/propagation/install/JSON/parse.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const { getKeyValueIndices } = require('./parse-fn');
@@ -75,7 +75,7 @@ module.exports = function (core) {
       moduleName: 'JSON',
       methodName: 'parse',
       object: {
-        value: inspect(data.obj),
+        value: 'JSON',
         tracked: false,
       },
       args: eventArgs,

package/lib/dataflow/propagation/install/JSON/stringify.js CHANGED Viewed

@@ -15,12 +15,10 @@
 'use strict';
-const {
-  createMergedTags
-} = require('../../../tag-utils');
-const { isString, inspect, replace, match, matchAll, slice } = require('@contrast/common');
-const { patchType } = require('../../common');
 const crypto = require('crypto');
+const { isString, replace, match, matchAll, slice } = require('@contrast/common');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 function makeCanary() {
   return replace(
@@ -88,7 +86,6 @@ module.exports = function(core) {
       return null;
     }
     const props = tracker.getData(slice(space, 0, 10));
     if (!props || !Object.keys(props.tags).length) {
       return null;
@@ -246,21 +243,23 @@ module.exports = function(core) {
             methodName: 'stringify',
             history: Array.from(metadata.history),
             object: {
-              value: inspect(data.obj),
+              value: 'JSON',
               tracked: false
             },
             args: [
               {
-                value: inspect(metadata.origArgs[0]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[0]),
                 tracked: false
               },
               (metadata.origArgs[1] && {
-                value: inspect(metadata.origArgs[1]),
+                value: getAdjustedUntrackedValue(metadata.origArgs[1]),
                 tracked: false
               }),
               (metadata.origArgs[2] && {
-                value: inspect(metadata.origArgs[2]),
-                tracked: !!metadata.spaceProps
+                tracked: !!metadata.spaceProps,
+                value: metadata.spaceProps ?
+                  `'${metadata.origArgs[2]}'` :
+                  getAdjustedUntrackedValue(metadata.origArgs[2]),
               })
             ].filter(Boolean),
             result: {

package/lib/dataflow/propagation/install/array-prototype-join.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { isString, join, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -78,10 +78,6 @@ module.exports = function(core) {
           const delimiterInfo = tracker.getData(delimiter);
           const initHistory = delimiterInfo ? new Set([delimiterInfo]) : new Set();
           const { newTags, newHistory: history } = accumulateTags(obj, {}, 0, initHistory, delimiterLength, delimiterInfo?.tags);
-          const object = {
-            value: obj && join(obj),
-            tracked: false
-          };
           const args = [{
             value: delimiterInfo ? delimiterInfo.value : delimiter,
@@ -93,8 +89,11 @@ module.exports = function(core) {
               name,
               moduleName: 'Array',
               methodName: 'prototype.join',
-              context: `${object.value}.join('${inspect(args[0].value) || ''})`,
-              object,
+              context: `[...].join('${args[0].value || ''}')`,
+              object: {
+                value: 'Array',
+                tracked: false
+              },
               result: {
                 value: resultInfo ? resultInfo.value : result,
                 tracked: true

package/lib/dataflow/propagation/install/contrast-methods/add.js CHANGED Viewed

@@ -15,21 +15,19 @@
 'use strict';
-const util = require('util');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
-    patcher,
     assess: {
+      inspect,
       getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
-  const inspect = patcher.unwrap(util.inspect);
   const origSym = Symbol('ContrastMethods.add.orig');
   return core.assess.dataflow.propagation.contrastMethodsInstrumentation.add = {

package/lib/dataflow/propagation/install/joi/boolean.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { ALPHANUM_SPACE_HYPHEN },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { ALPHANUM_SPACE_HYPHEN } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/expression.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/index.js CHANGED Viewed

@@ -20,7 +20,6 @@ const {
   isString,
   isNonEmptyObject,
   traverseValues,
-  inspect,
 } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { tagCustomValidatedString, handleReferences } = require('./utils');
@@ -30,6 +29,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/number.js CHANGED Viewed

@@ -15,10 +15,7 @@
 'use strict';
-const {
-  DataflowTag: { LIMITED_CHARS },
-  inspect,
-} = require('@contrast/common');
+const { DataflowTag: { LIMITED_CHARS } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -27,6 +24,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/joi/string-schema.js CHANGED Viewed

@@ -16,12 +16,16 @@
 'use strict';
 const {
-  DataflowTag: { ALPHANUM_SPACE_HYPHEN, LIMITED_CHARS, STRING_TYPE_CHECKED },
-  inspect,
+  DataflowTag: {
+    ALPHANUM_SPACE_HYPHEN,
+    LIMITED_CHARS,
+    STRING_TYPE_CHECKED
+  },
 } = require('@contrast/common');
-const { handleReferences } = require('./utils');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
+const { handleReferences } = require('./utils');
 const VALIDATORS = {
   base64: ALPHANUM_SPACE_HYPHEN,
   guid: ALPHANUM_SPACE_HYPHEN,
@@ -42,6 +46,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker, propagation: {

package/lib/dataflow/propagation/install/joi/values.js CHANGED Viewed

@@ -16,7 +16,10 @@
 'use strict';
 const {
-  isNonEmptyObject, isString, inspect, traverseValues, join
+  isNonEmptyObject,
+  isString,
+  join,
+  traverseValues,
 } = require('@contrast/common');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -27,6 +30,7 @@ module.exports = function(core) {
     scopes: { sources, instrumentation },
     patcher,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/path/format.js CHANGED Viewed

@@ -14,9 +14,9 @@
  */
 'use strict';
+const { join, isString } = require('@contrast/common');
 const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
-const { createMergedTags } = require('../../../tag-utils');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const {
   createArgTagsInResult,
   excludeExtensionDotFromTags
@@ -65,7 +65,10 @@ module.exports = function(core) {
                 let newTags = {};
                 const propInfo = isString(prop) && tracker.getData(prop);
                 if (!propInfo) {
-                  eventArgs.unshift({ value: prop, tracked: false });
+                  eventArgs.unshift({
+                    value: getAdjustedUntrackedValue(prop),
+                    tracked: false
+                  });
                   continue;
                 }
@@ -95,7 +98,7 @@ module.exports = function(core) {
                 name: patchName,
                 moduleName: 'path',
                 methodName: 'format',
-                context: `path.format('${inspect(...args)}')`,
+                context: `path.format(${join(eventArgs.map((a) => a.value))})`,
                 history,
                 object: {
                   value: 'path',

package/lib/dataflow/propagation/install/path/parse.js CHANGED Viewed

@@ -14,12 +14,10 @@
  */
 'use strict';
-const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
-const {
-  excludeExtensionDotFromTags
-} = require('./common');
+const { patchType } = require('../../common');
+const { excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
@@ -27,6 +25,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/querystring/escape.js CHANGED Viewed

@@ -14,7 +14,6 @@
  */
 'use strict';
-const { inspect } = require('util');
 const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -22,6 +21,7 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },

package/lib/dataflow/propagation/install/querystring/parse.js CHANGED Viewed

@@ -18,12 +18,10 @@
 const querystring = require('querystring');
 const {
   DataflowTag: { URL_ENCODED },
-  inspect,
   join
 } = require('@contrast/common');
+const { createSubsetTags, createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
-const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -48,10 +46,11 @@ module.exports = function(core) {
       if (!tagRanges) return result;
       const resultInfo = tracker.getData(result);
-      const [, ...restOfArgsValues] = data.origArgs.map(inspect);
+      const [, ...restArgs] = data.origArgs.map(getAdjustedUntrackedValue);
+      const restArgStr = restArgs.length ? `,${join(restArgs)}` : '';
       const event = createPropagationEvent({
         name: data.name,
-        context: `querystring.parse('${trackingData.value}', ${join(restOfArgsValues, ', ')})`,
+        context: `querystring.parse('${trackingData.value}'${restArgStr})`,
         moduleName: 'querystring',
         methodName: 'parse',
         history: [trackingData],
@@ -60,7 +59,7 @@ module.exports = function(core) {
           tracked: true,
         },
         args: data.origArgs.map((_arg, idx) => ({
-          value: idx === 0 ? trackingData.value : restOfArgsValues[idx - 1],
+          value: idx === 0 ? trackingData.value : restArgs[idx - 1],
           tracked: !!idx === 0
         })).filter(el => el),
         result: {
@@ -116,7 +115,7 @@ module.exports = function(core) {
               }
               data.idx = 0;
-              data.origArgs = data.args;
+              data.origArgs = [...data.args];
               data.trackingData = trackingData;
               data.args[3] = {

package/lib/dataflow/propagation/install/querystring/stringify.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
 const querystring = require('querystring');
-const { inspect } = require('util');
 const { isString } = require('@contrast/common');
 const utils = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -25,6 +24,7 @@ const moduleName = 'querystring';
 module.exports = function(core) {
   const {
     assess: {
+      inspect, // todo: remove
       dataflow: { tracker },
       eventFactory: { createPropagationEvent },
     },

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED Viewed

@@ -14,8 +14,7 @@
  */
 'use strict';
-const { inspect } = require('@contrast/common');
-const { createSubsetTags } = require('../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
@@ -58,7 +57,7 @@ module.exports = function(core) {
       ],
       tags,
       result: {
-        value: inspect(untrackedResult),
+        value: getAdjustedUntrackedValue(untrackedResult),
         tracked: false,
       },
       stacktraceOpts: {

package/lib/dataflow/propagation/install/string/concat.js CHANGED Viewed

@@ -15,9 +15,9 @@
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { join } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createAppendTags } = require('../../../tag-utils');
+const { createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -38,7 +38,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          const { args, obj, result, hooked, orig } = data;
+          const { obj, result, hooked, orig } = data;
           if (!result || !getSourceContext(PROPAGATOR)) return;
           const rInfo = tracker.getData(result);
@@ -47,45 +47,45 @@ module.exports = function(core) {
             return;
           }
-          const argsData = [];
           const objInfo = tracker.getData(obj);
           const history = objInfo ? new Set([objInfo]) : new Set();
-          const newTags = { ...objInfo?.tags };
           let globalOffset = typeof obj !== 'function' ? obj.length : 0;
+          const args = [];
+          let tags = objInfo?.tags;
-          for (const str of args) {
-            const strInfo = tracker.getData(str);
+          for (const arg of data.args) {
+            const strInfo = tracker.getData(arg);
             if (strInfo) {
-              const strTags = strInfo?.tags || {};
+              args.push({ tracked: true, value: arg });
               history.add(strInfo);
-              Object.assign(newTags, createAppendTags(newTags, strTags, globalOffset));
+              tags = createAppendTags(tags, strInfo.tags, globalOffset);
+            } else {
+              args.push({ tracked: false, value: getAdjustedUntrackedValue(arg) });
             }
-            argsData.push({
-              value: strInfo?.value ?? str,
-              tracked: !!strInfo
-            });
-            globalOffset += `${str}`.length;
+            globalOffset += `${arg}`.length;
           }
+          const objVal = objInfo ? `'${objInfo.value}'` : getAdjustedUntrackedValue(obj);
+          const context = `${objVal}.concat(${join(args.map((a) => a.value))})`;
           if (history.size) {
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
               methodName: 'prototype.concat',
-              context: `${inspect(objInfo?.value) || String(obj)}.concat(${inspect(join(argsData.map(d => d.value)), ', ')})`,
+              context,
               object: {
-                value: objInfo?.value || String(obj),
+                value: objInfo?.value ?? getAdjustedUntrackedValue(obj),
                 tracked: !!objInfo
               },
               result: {
                 value: result,
                 tracked: true
               },
-              args: argsData,
-              tags: newTags,
+              args,
+              tags,
               history: Array.from(history),
               source: objInfo ? (history.size > 1 ? 'A' : 'O') : 'P',
               target: 'R',

package/lib/dataflow/propagation/install/string/html-methods.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { inspect } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -34,6 +33,7 @@ module.exports = function(core) {
   const {
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }

package/lib/dataflow/propagation/install/string/index.js CHANGED Viewed

@@ -15,8 +15,8 @@
 'use strict';
-const { callChildComponentMethodsSync } = require('@contrast/common');
-const { inspect, split } = require('@contrast/common');
+const { callChildComponentMethodsSync, split } = require('@contrast/common');
+const { getAdjustedUntrackedValue } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -55,7 +55,7 @@ module.exports = function(core) {
         ) return;
         const args = [{
-          value: inspect(methodArg),
+          value: getAdjustedUntrackedValue(methodArg),
           tracked: false
         }];

package/lib/dataflow/propagation/install/string/match-all.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { inspect } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -56,15 +56,10 @@ module.exports = function(core) {
         value: objInfo.value,
         tracked: true,
       },
-      args: [
-        {
-          value: arg,
-          tracked: false,
-        },
-      ],
+      args: [{ tracked: false, value: arg }],
       tags,
       result: {
-        value: inspect(untrackedResult),
+        value: '[RegExp String Iterator] {}',
         tracked: false,
       },
       stacktraceOpts: {
@@ -131,7 +126,7 @@ module.exports = function(core) {
             resValue.indices && (untrackedResult.indices = resValue.indices);
             let searchIdx = resValue.index;
-            const metadata = { arg: inspect(args[0]), hooked, orig };
+            const metadata = { arg: `${args[0]}`, hooked, orig };
             for (let i = 0; i < resValue.length; i++) {
               let match = resValue[i];

package/lib/dataflow/propagation/install/string/match.js CHANGED Viewed

@@ -14,9 +14,9 @@
  */
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { join } = require('@contrast/common');
 const { patchType } = require('../../common');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -36,13 +36,14 @@ module.exports = function(core) {
   function getPropagationEvent(data, res, objInfo, start) {
     const { args: origArgs, result, hooked, orig } = data;
     const tags = createSubsetTags(objInfo.tags, start, res.length);
     if (!tags) return;
     const args = [
       {
-        value: inspect(origArgs[0]),
+        value: getAdjustedUntrackedValue(origArgs[0]),
         tracked: false,
-      },
+      }
     ];
     return createPropagationEvent({

package/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -18,12 +18,15 @@
 const {
   DataflowTag: { UNTRUSTED },
   match: origMatch,
-  inspect,
   join,
   substring
 } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
+const {
+  createSubsetTags,
+  createAppendTags,
+  getAdjustedUntrackedValue
+} = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -167,21 +170,24 @@ module.exports = function(core) {
             return;
           }
-          const { _replacementInfo, obj, args: origArgs, result, hooked, orig } = data;
-          const args = [{
-            value: inspect(origArgs[0]),
-            tracked: !!tracker.getData(origArgs[0])
-          },
-          {
-            value: data._replacement,
-            tracked: !!_replacementInfo
-          }];
+          const { obj, args: origArgs, result, hooked, orig } = data;
+          const args = [];
+          if (tracker.getData(origArgs[0])) {
+            args.push({ tracked: true, value: origArgs[0] });
+          } else {
+            args.push({ tracked: false, value: getAdjustedUntrackedValue(origArgs[0]) });
+          }
+          if (data._replacement) {
+            args.push({ tracked: true, value: data._replacement });
+          } else {
+            args.push({ tracked: false, value: getAdjustedUntrackedValue(data._replacement) });
+          }
           const event = createPropagationEvent({
             name,
             moduleName: 'String',
             methodName: 'prototype.replace',
-            context: `'${obj}'.replace(${join(args.map(a => a.value), ', ')})`,
+            context: `'${obj}'.replace(${join(args.map(a => a.value))})`,
             history: Array.from(data._history),
             object: {
               value: obj,