@contrast/assess 1.28.0 → 1.29.0

package/lib/response-scanning/handlers/utils.js

@@ -15,7 +15,14 @@
 
 'use strict';
 
-const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
+const {
+  ArrayPrototypeJoin,
+  StringPrototypeSubstring,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
+  StringPrototypeTrim,
+  StringPrototypeReplace
+} = require('@contrast/common');
 
 //
 // General HTML utils
@@ -32,7 +39,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? StringPrototypeReplace.call(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }
 
@@ -54,7 +61,7 @@ function getElements(htmlTag, content = '') {
     [htmlTagRangeStart, htmlTagRangeLength] = getHtmlTagRange(htmlTag, content, offset);
     if (htmlTagRangeStart >= 0) {
       offset = htmlTagRangeStart + htmlTagRangeLength;
-      elements.push(substring(content, htmlTagRangeStart, offset));
+      elements.push(StringPrototypeSubstring.call(content, htmlTagRangeStart, offset));
     }
   } while (htmlTagRangeStart >= 0);
 
@@ -69,7 +76,7 @@ function isHtmlContent(responseHeaders) {
   }
 
   // we may want to do a case-insensitive search through object keys here
-  const contentType = toLowerCase(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
+  const contentType = StringPrototypeToLowerCase.call(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
 
   return (
     !contentType ||
@@ -88,7 +95,7 @@ function isParseableResponse(responseHeaders) {
   // we may want to do a case-insensitive search through object keys here
   let contentType =
     responseHeaders['Content-Type'] || responseHeaders['content-type'];
-  if (contentType) contentType = toLowerCase(contentType);
+  if (contentType) contentType = StringPrototypeToLowerCase.call(contentType);
 
   return (
     !contentType ||
@@ -123,7 +130,7 @@ function getAttribute(attribute, htmlTag = '') {
     }
   }
 
-  return substring(htmlTag, attrStart, attrEnd);
+  return StringPrototypeSubstring.call(htmlTag, attrStart, attrEnd);
 }
 
 /**
@@ -213,16 +220,16 @@ function checkCacheControlValue(value = '') {
     let noStore = false;
 
     value.forEach((directive) => {
-      if (toLowerCase(directive).includes('no-cache')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-cache')) {
         noCache = true;
       }
-      if (toLowerCase(directive).includes('no-store')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-store')) {
         noStore = true;
       }
     });
     return [noCache, noStore];
   } else {
-    value = toLowerCase(value);
+    value = StringPrototypeToLowerCase.call(value);
     return [value.includes('no-cache'), value.includes('no-store')];
   }
 }
@@ -317,7 +324,7 @@ function formatSource({
   }
 
   data[`${key}Secure`] = isSecure;
-  data[`${key}Value`] = join(sources, ' ');
+  data[`${key}Value`] = ArrayPrototypeJoin.call(sources, ' ');
 }
 
 /**
@@ -325,8 +332,8 @@ function formatSource({
  */
 function policyParser(policy) {
   const result = {};
-  for (const directive of split(policy, ';')) {
-    const [directiveKey, ...directiveValue] = split(trim(directive), /\s+/g);
+  for (const directive of StringPrototypeSplit.call(policy, ';')) {
+    const [directiveKey, ...directiveValue] = StringPrototypeSplit.call(StringPrototypeTrim.call(directive), /\s+/g);
     if (
       directiveKey &&
       !Object.prototype.hasOwnProperty.call(result, directiveKey)

package/lib/response-scanning/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { split, substring, toLowerCase, trim } = require('@contrast/common');
+const { StringPrototypeSplit, StringPrototypeSubstring, StringPrototypeToLowerCase, StringPrototypeTrim } = require('@contrast/common');
 
 /**
  * @param {{
@@ -46,13 +46,13 @@ module.exports = function(core) {
 
   function parseHeaders(rawHeaders) {
     const headersToParse = rawHeaders || '';
-    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
+    const headersArray = StringPrototypeSplit.call(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');
 
       if (idx > -1) {
-        const name = toLowerCase(substring(header, 0, idx));
-        const value = trim(substring(header, idx + 1));
+        const name = StringPrototypeToLowerCase.call(StringPrototypeSubstring.call(header, 0, idx));
+        const value = StringPrototypeTrim.call(StringPrototypeSubstring.call(header, idx + 1));
         const currentValue = acc[name];
         acc[name] = currentValue
           ? Array.isArray(currentValue)
@@ -100,7 +100,7 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: parseHeaders(data.result._header),
             };
 
@@ -118,7 +118,7 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: parseHeaders(data.result._header),
             };
 
@@ -141,7 +141,7 @@ module.exports = function(core) {
 
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: data.obj[headersSymbol],
             };
 
@@ -160,7 +160,7 @@ module.exports = function(core) {
 
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
             const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
+              responseBody: StringPrototypeToLowerCase.call(data.args[0] || ''),
               responseHeaders: data.result[headersSymbol],
             };
 
@@ -169,57 +169,7 @@ module.exports = function(core) {
         });
       }
 
-      // patching the stream object
-      ['createServer', 'createSecureServer'].forEach((server) => {
-        patcher.patch(http2, server, {
-          name: `http2.${server}`,
-          patchType,
-          post(data) {
-            // The other option is once again to patch the `emit` method of the server
-            // similar to how we patch it for creating sources, but take action only on
-            // `stream` events. I chose the currentt approach because the hook will only
-            // run on a `stream` event instead of checking and returning on each `request`
-            // connect.
-            data.result._events = patcher.patch(data.result._events, 'stream', {
-              name: 'stream',
-              patchType: 'stream-patch',
-              pre(data) {
-                patcher.patch(data.args[0], 'write', {
-                  name: 'Http2Stream.write',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    writeHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-
-                patcher.patch(data.args[0], 'end', {
-                  name: 'Http2Stream.end',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    endHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-              }
-            });
-          }
-        });
-      });
+      // todo: patching the stream object (NODE-3467)
     });
   };
 

package/lib/session-configuration/install/express-session.js

@@ -14,8 +14,7 @@
  */
 'use strict';
 
-const util = require('util');
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -27,6 +26,7 @@ const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
@@ -40,8 +40,6 @@ module.exports = function (core) {
 
   const expressSession = core.assess.sessionConfiguration.expressSession = {};
 
-  const inspect = patcher.unwrap(util.inspect);
-
   expressSession.install = function () {
     return depHooks.resolve({ name: 'express-session' }, (session) => {
       // Return the hooked function as the export.
@@ -104,7 +102,7 @@ module.exports = function (core) {
                 name: 'http.setHeader',
                 patchType,
                 pre({ args: [key, value] }) {
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   if (checkForHTTPOnly) {
                     handleHttpOnly(sourceContext, value, sessionEvent);

package/lib/session-configuration/install/fastify-cookie.js

@@ -14,8 +14,7 @@
  */
 'use strict';
 
-const { inspect } = require('util');
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -27,6 +26,7 @@ const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
@@ -82,7 +82,7 @@ module.exports = function (core) {
                 name: 'fastify.Reply.header',
                 pre(data) {
                   const [key, value] = data.args;
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   const sourceContext = getSourceContext();
                   if (!sourceContext) return;

package/lib/session-configuration/install/hapi.js

@@ -14,12 +14,12 @@
  */
 'use strict';
 
-const util = require('util');
 const { patchType } = require('../common');
 
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       eventFactory: { createSessionEvent },
       sessionConfiguration: {
         handleHttpOnly,
@@ -33,8 +33,6 @@ module.exports = function (core) {
 
   const hapiSession = core.assess.sessionConfiguration.hapiSession = {};
 
-  const inspect = patcher.unwrap(util.inspect);
-
   hapiSession.install = function () {
     return depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22' }, (hapi) => {
       ['server', 'Server'].forEach((server) => {

package/lib/session-configuration/install/koa.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const { inspect } = require('util');
 const { patchType } = require('../common');
 
 /**
@@ -26,6 +25,7 @@ const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSessionEvent },
       sessionConfiguration: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.28.0",
+  "version": "1.29.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,14 +11,14 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.18.0"
+    "node": ">= 16.9.1"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.0",
-    "@contrast/distringuish": "^4.4.0",
+    "@contrast/common": "1.21.1",
+    "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }
 }