npm - @contrast/assess - Versions diffs - 1.28.0 → 1.29.0 - Mend

@contrast/assess 1.28.0 → 1.29.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/lib/dataflow/propagation/install/path/common.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { matchAll, substring, replace } = require('@contrast/common');
+const { StringPrototypeMatchAll, StringPrototypeSubstring, StringPrototypeReplace } = require('@contrast/common');
 const {
   createSubsetTags,
   createAppendTags,
@@ -35,7 +35,7 @@ function createBasenameTagsInResult({
   isWin32,
 }) {
   const segments = Array.from(
-    matchAll(argStr, isWin32 ? win32RegExp : posixRegExp)
+    StringPrototypeMatchAll.call(argStr, isWin32 ? win32RegExp : posixRegExp)
   );
   const basename = segments[segments.length - 1][1];
   const isExtensionRemoved = suffixStr && basename.includes(suffixStr);
@@ -77,7 +77,7 @@ function createArgTagsInResult({
   // the separators eventually including
   // only 1 path separator at the start
   const matchedSegments = Array.from(
-    matchAll(argStr, isWin32 ? win32RegExp : posixRegExp)
+    StringPrototypeMatchAll.call(argStr, isWin32 ? win32RegExp : posixRegExp)
   ).reverse();
   for (let i = 0; i < matchedSegments.length; i++) {
@@ -107,13 +107,13 @@ function createArgTagsInResult({
       i === matchedSegments.length - 1 ? 0 : matchedSegments[i + 1][0].length;
     const segmentStartIdx = startIdx + match.length - segment.length;
     const separators =
-      substring(
+      StringPrototypeSubstring.call(
         argStr,
         previousSegmentIdx + previousSegmentLength,
         segmentStartIdx
       ) || '';
     const separatorsInResult = isWin32
-      ? replace(separators, /\//g, (_match, idx) => {
+      ? StringPrototypeReplace.call(separators, /\//g, (_match, idx) => {
         replacedSeparatorsIdxs.push(startIdx - idx);
         return '\\';

package/lib/dataflow/propagation/install/path/format.js CHANGED Viewed

@@ -14,9 +14,9 @@
  */
 'use strict';
+const { ArrayPrototypeJoin, isString } = require('@contrast/common');
 const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
-const { createMergedTags } = require('../../../tag-utils');
+const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const {
   createArgTagsInResult,
   excludeExtensionDotFromTags
@@ -65,7 +65,10 @@ module.exports = function(core) {
                 let newTags = {};
                 const propInfo = isString(prop) && tracker.getData(prop);
                 if (!propInfo) {
-                  eventArgs.unshift({ value: prop, tracked: false });
+                  eventArgs.unshift({
+                    value: getAdjustedUntrackedValue(prop),
+                    tracked: false
+                  });
                   continue;
                 }
@@ -95,7 +98,7 @@ module.exports = function(core) {
                 name: patchName,
                 moduleName: 'path',
                 methodName: 'format',
-                context: `path.format('${inspect(...args)}')`,
+                context: `path.format(${ArrayPrototypeJoin.call(eventArgs.map((a) => a.value))})`,
                 history,
                 object: {
                   value: 'path',

package/lib/dataflow/propagation/install/path/join-and-resolve.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { isString, join } = require('@contrast/common');
+const { isString, ArrayPrototypeJoin } = require('@contrast/common');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const {
@@ -97,7 +97,7 @@ module.exports = function(core) {
                   name,
                   moduleName: 'path',
                   methodName: method,
-                  context: `path.${method}(${join(args
+                  context: `path.${method}(${ArrayPrototypeJoin.call(args
                     .map((a) => `'${a.value}'`), ',')})`,
                   history,
                   object: {

package/lib/dataflow/propagation/install/path/parse.js CHANGED Viewed

@@ -14,12 +14,10 @@
  */
 'use strict';
-const { patchType } = require('../../common');
-const { isString, inspect } = require('@contrast/common');
+const { isString } = require('@contrast/common');
 const { createSubsetTags } = require('../../../tag-utils');
-const {
-  excludeExtensionDotFromTags
-} = require('./common');
+const { patchType } = require('../../common');
+const { excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
@@ -27,6 +25,7 @@ module.exports = function(core) {
     patcher,
     scopes: { sources, instrumentation },
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },

package/lib/dataflow/propagation/install/querystring/escape.js CHANGED Viewed

@@ -14,7 +14,6 @@
  */
 'use strict';
-const { inspect } = require('util');
 const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -22,6 +21,7 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },

package/lib/dataflow/propagation/install/querystring/parse.js CHANGED Viewed

@@ -18,12 +18,10 @@
 const querystring = require('querystring');
 const {
   DataflowTag: { URL_ENCODED },
-  inspect,
-  join
+  ArrayPrototypeJoin,
 } = require('@contrast/common');
+const { createSubsetTags, createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
-const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -48,10 +46,12 @@ module.exports = function(core) {
       if (!tagRanges) return result;
       const resultInfo = tracker.getData(result);
-      const [, ...restOfArgsValues] = data.origArgs.map(inspect);
+      const [, ...restArgs] = data.origArgs.map(getAdjustedUntrackedValue);
+      const args = [trackingData.value, ...restArgs];
       const event = createPropagationEvent({
         name: data.name,
-        context: `querystring.parse('${trackingData.value}', ${join(restOfArgsValues, ', ')})`,
+        context: `querystring.parse('${ArrayPrototypeJoin.call(args)})`,
         moduleName: 'querystring',
         methodName: 'parse',
         history: [trackingData],
@@ -60,7 +60,7 @@ module.exports = function(core) {
           tracked: true,
         },
         args: data.origArgs.map((_arg, idx) => ({
-          value: idx === 0 ? trackingData.value : restOfArgsValues[idx - 1],
+          value: idx === 0 ? trackingData.value : restArgs[idx - 1],
           tracked: !!idx === 0
         })).filter(el => el),
         result: {
@@ -116,7 +116,7 @@ module.exports = function(core) {
               }
               data.idx = 0;
-              data.origArgs = data.args;
+              data.origArgs = [...data.args];
               data.trackingData = trackingData;
               data.args[3] = {

package/lib/dataflow/propagation/install/querystring/stringify.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
 const querystring = require('querystring');
-const { inspect } = require('util');
 const { isString } = require('@contrast/common');
 const utils = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -25,6 +24,7 @@ const moduleName = 'querystring';
 module.exports = function(core) {
   const {
     assess: {
+      inspect, // todo: remove
       dataflow: { tracker },
       eventFactory: { createPropagationEvent },
     },

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED Viewed

@@ -14,8 +14,7 @@
  */
 'use strict';
-const { inspect } = require('@contrast/common');
-const { createSubsetTags } = require('../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
@@ -58,7 +57,7 @@ module.exports = function(core) {
       ],
       tags,
       result: {
-        value: inspect(untrackedResult),
+        value: getAdjustedUntrackedValue(untrackedResult),
         tracked: false,
       },
       stacktraceOpts: {

package/lib/dataflow/propagation/install/send.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
 const { patchType } = require('../common');
-const { slice } = require('@contrast/common');
+const { StringPrototypeSlice } = require('@contrast/common');
 module.exports = function (core) {
   const {
@@ -42,7 +42,7 @@ module.exports = function (core) {
               return;
             }
-            const untrackedPath = slice(` ${args[0]}`, 1);
+            const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
             args[0] = untrackedPath;
           },
         });

package/lib/dataflow/propagation/install/string/concat.js CHANGED Viewed

@@ -15,9 +15,9 @@
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createAppendTags } = require('../../../tag-utils');
+const { createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -38,7 +38,7 @@ module.exports = function(core) {
         name,
         patchType,
         post(data) {
-          const { args, obj, result, hooked, orig } = data;
+          const { obj, result, hooked, orig } = data;
           if (!result || !getSourceContext(PROPAGATOR)) return;
           const rInfo = tracker.getData(result);
@@ -47,45 +47,45 @@ module.exports = function(core) {
             return;
           }
-          const argsData = [];
           const objInfo = tracker.getData(obj);
           const history = objInfo ? new Set([objInfo]) : new Set();
-          const newTags = { ...objInfo?.tags };
           let globalOffset = typeof obj !== 'function' ? obj.length : 0;
+          const args = [];
+          let tags = objInfo?.tags;
-          for (const str of args) {
-            const strInfo = tracker.getData(str);
+          for (const arg of data.args) {
+            const strInfo = tracker.getData(arg);
             if (strInfo) {
-              const strTags = strInfo?.tags || {};
+              args.push({ tracked: true, value: arg });
               history.add(strInfo);
-              Object.assign(newTags, createAppendTags(newTags, strTags, globalOffset));
+              tags = createAppendTags(tags, strInfo.tags, globalOffset);
+            } else {
+              args.push({ tracked: false, value: getAdjustedUntrackedValue(arg) });
             }
-            argsData.push({
-              value: strInfo?.value ?? str,
-              tracked: !!strInfo
-            });
-            globalOffset += `${str}`.length;
+            globalOffset += `${arg}`.length;
           }
           if (history.size) {
+            const objVal = objInfo ? `'${objInfo.value}'` : getAdjustedUntrackedValue(obj);
+            const context = `${objVal}.concat(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`;
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
               methodName: 'prototype.concat',
-              context: `${inspect(objInfo?.value) || String(obj)}.concat(${inspect(join(argsData.map(d => d.value)), ', ')})`,
+              context,
               object: {
-                value: objInfo?.value || String(obj),
+                value: objInfo?.value ?? getAdjustedUntrackedValue(obj),
                 tracked: !!objInfo
               },
               result: {
                 value: result,
                 tracked: true
               },
-              args: argsData,
-              tags: newTags,
+              args,
+              tags,
               history: Array.from(history),
               source: objInfo ? (history.size > 1 ? 'A' : 'O') : 'P',
               target: 'R',

package/lib/dataflow/propagation/install/string/html-methods.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { inspect } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -34,6 +33,7 @@ module.exports = function(core) {
   const {
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }

package/lib/dataflow/propagation/install/string/index.js CHANGED Viewed

@@ -16,7 +16,8 @@
 'use strict';
 const { callChildComponentMethodsSync } = require('@contrast/common');
-const { inspect, split } = require('@contrast/common');
+const { StringPrototypeSplit } = require('@contrast/common');
+const { getAdjustedUntrackedValue } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -40,7 +41,7 @@ module.exports = function(core) {
   };
   function patchCustomMatcher(matcherFn, objInfo, methodArg, name, patchType) {
-    const [, , methodName] = split(name, '.');
+    const [, , methodName] = StringPrototypeSplit.call(name, '.');
     return patcher.patch(matcherFn, {
       name,
@@ -55,7 +56,7 @@ module.exports = function(core) {
         ) return;
         const args = [{
-          value: inspect(methodArg),
+          value: getAdjustedUntrackedValue(methodArg),
           tracked: false
         }];

package/lib/dataflow/propagation/install/string/match-all.js CHANGED Viewed

@@ -14,7 +14,6 @@
  */
 'use strict';
-const { inspect } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -56,15 +55,10 @@ module.exports = function(core) {
         value: objInfo.value,
         tracked: true,
       },
-      args: [
-        {
-          value: arg,
-          tracked: false,
-        },
-      ],
+      args: [{ tracked: false, value: arg }],
       tags,
       result: {
-        value: inspect(untrackedResult),
+        value: '[RegExp String Iterator] {}',
         tracked: false,
       },
       stacktraceOpts: {
@@ -131,7 +125,7 @@ module.exports = function(core) {
             resValue.indices && (untrackedResult.indices = resValue.indices);
             let searchIdx = resValue.index;
-            const metadata = { arg: inspect(args[0]), hooked, orig };
+            const metadata = { arg: `${args[0]}`, hooked, orig };
             for (let i = 0; i < resValue.length; i++) {
               let match = resValue[i];

package/lib/dataflow/propagation/install/string/match.js CHANGED Viewed

@@ -14,9 +14,9 @@
  */
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { patchType } = require('../../common');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -36,13 +36,14 @@ module.exports = function(core) {
   function getPropagationEvent(data, res, objInfo, start) {
     const { args: origArgs, result, hooked, orig } = data;
     const tags = createSubsetTags(objInfo.tags, start, res.length);
     if (!tags) return;
     const args = [
       {
-        value: inspect(origArgs[0]),
+        value: getAdjustedUntrackedValue(origArgs[0]),
         tracked: false,
-      },
+      }
     ];
     return createPropagationEvent({
@@ -58,7 +59,7 @@ module.exports = function(core) {
       args,
       tags,
       result: {
-        value: join(result),
+        value: ArrayPrototypeJoin.call(result),
         tracked: false,
       },
       stacktraceOpts: {

package/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -17,13 +17,16 @@
 const {
   DataflowTag: { UNTRUSTED },
-  match: origMatch,
-  inspect,
-  join,
-  substring
+  StringPrototypeMatch,
+  ArrayPrototypeJoin,
+  StringPrototypeSubstring,
 } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
+const {
+  createSubsetTags,
+  createAppendTags,
+  getAdjustedUntrackedValue
+} = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -70,7 +73,7 @@ module.exports = function(core) {
         replace: str.substring(str.indexOf(match) + match.length, str.length)
       }
     ].forEach(({ regex, replace }) => {
-      if (ret && origMatch(ret, regex)) {
+      if (ret && StringPrototypeMatch.call(ret, regex)) {
         // If the match string is tracked, we can actually use the patched replace
         // to keep track of its tag ranges
         if (tracker.getData(replace)) {
@@ -84,7 +87,7 @@ module.exports = function(core) {
     const numberedGroupMatches = replacementType !== 'function' && replacement.match(/\$[1-9][0-9]|\$[1-9]/g);
     if (numberedGroupMatches) {
       numberedGroupMatches.forEach((numberedGroup) => {
-        const group = Number(substring(numberedGroup, 1));
+        const group = Number(StringPrototypeSubstring.call(numberedGroup, 1));
         ret = origReplace.call(ret, numberedGroup, captureGroups[group - 1] || '');
       });
     }
@@ -167,21 +170,24 @@ module.exports = function(core) {
             return;
           }
-          const { _replacementInfo, obj, args: origArgs, result, hooked, orig } = data;
-          const args = [{
-            value: inspect(origArgs[0]),
-            tracked: !!tracker.getData(origArgs[0])
-          },
-          {
-            value: data._replacement,
-            tracked: !!_replacementInfo
-          }];
+          const { obj, args: origArgs, result, hooked, orig } = data;
+          const args = [];
+          if (tracker.getData(origArgs[0])) {
+            args.push({ tracked: true, value: origArgs[0] });
+          } else {
+            args.push({ tracked: false, value: getAdjustedUntrackedValue(origArgs[0]) });
+          }
+          if (data._replacement) {
+            args.push({ tracked: true, value: data._replacement });
+          } else {
+            args.push({ tracked: false, value: getAdjustedUntrackedValue(data._replacement) });
+          }
           const event = createPropagationEvent({
             name,
             moduleName: 'String',
             methodName: 'prototype.replace',
-            context: `'${obj}'.replace(${join(args.map(a => a.value), ', ')})`,
+            context: `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
             history: Array.from(data._history),
             object: {
               value: obj,

package/lib/dataflow/propagation/install/string/slice.js CHANGED Viewed

@@ -13,9 +13,9 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
-const { inspect, join } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -72,15 +72,15 @@ module.exports = function(core) {
           if (!tags) return;
           const args = origArgs.map((arg) => ({
-            value: inspect(arg),
-            tracked: false
+            tracked: false,
+            value: getAdjustedUntrackedValue(arg)
           }));
           const event = createPropagationEvent({
             name,
             moduleName: 'String',
             methodName: 'prototype.slice',
-            context: `'${objInfo.value}'.slice(${join(args.map(a => a.value), ', ')})`,
+            context: `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`,
             history: [objInfo],
             object: {
               value: obj,

package/lib/dataflow/propagation/install/string/split.js CHANGED Viewed

@@ -15,9 +15,9 @@
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -54,17 +54,16 @@ module.exports = function(core) {
           const args = origArgs.map((arg) => {
             const argInfo = tracker.getData(arg);
-            return {
-              value: argInfo ? argInfo.value : inspect(arg),
-              tracked: !!argInfo
-            };
+            return argInfo ?
+                { tracked: true, value: argInfo.value } :
+                { tracked: false, value: `'${arg}'` };
           });
           const event = eventFactory.createPropagationEvent({
             name,
             moduleName: 'String',
             methodName: 'prototype.split',
-            context: `'${objInfo.value}'.split(${join(args.map(a => a.value), ', ')})`,
+            context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
             history: [objInfo],
             object: {
               value: obj,
@@ -73,7 +72,7 @@ module.exports = function(core) {
             args,
             tags: {},
             result: {
-              value: join(result),
+              value: getAdjustedUntrackedValue(result),
               tracked: false
             },
             stacktraceOpts: {
@@ -95,9 +94,13 @@ module.exports = function(core) {
             const objSubstrInfo = tracker.getData(objSubstr);
             if (objSubstrInfo) {
               const tags = createSubsetTags(objInfo.tags, start, res.length);
-              if (!tags) continue;
-              const metadata = { ...event, tags };
+              if (!tags) continue;
+              const metadata = {
+                ...event,
+                result: { tracked: true, value: res },
+                tags,
+              };
               eventFactory.createdEvents.add(metadata);
               const { extern } = tracker.track(res, metadata);
@@ -114,4 +117,3 @@ module.exports = function(core) {
     },
   };
 };

package/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -15,9 +15,9 @@
 'use strict';
-const { join, inspect } = require('@contrast/common');
+const { ArrayPrototypeJoin } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
-const { createSubsetTags } = require('../../../tag-utils');
+const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -82,14 +82,15 @@ module.exports = function(core) {
             if (!tags) return;
             const args = origArgs.map((arg) => ({
-              value: inspect(arg),
-              tracked: false
+              tracked: false,
+              value: getAdjustedUntrackedValue(arg)
             }));
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
               methodName: 'prototype.substring',
-              context: `'${objInfo.value}'.substring(${join(args.map(a => a.value), ', ')})`,
+              context: `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
               history: [objInfo],
               object: {
                 value: obj,

package/lib/dataflow/propagation/install/url/parse.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { patchType } = require('../../common');
-const { inspect } = require('@contrast/common');
 module.exports = function(core) {
   const {
@@ -24,6 +23,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }