@contrast/assess 1.28.1 → 1.29.1

package/lib/response-scanning/handlers/utils.js

@@ -15,7 +15,14 @@
 
 'use strict';
 
-const { join, substring, toLowerCase, split, trim, replace } = require('@contrast/common');
+const {
+  ArrayPrototypeJoin,
+  StringPrototypeSubstring,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
+  StringPrototypeTrim,
+  StringPrototypeReplace
+} = require('@contrast/common');
 
 //
 // General HTML utils
@@ -32,7 +39,7 @@ const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 
 function escapeHtml(string) {
   return (string && reHasUnescapedHtml.test(string))
-    ? replace(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
+    ? StringPrototypeReplace.call(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }
 
@@ -54,7 +61,7 @@ function getElements(htmlTag, content = '') {
     [htmlTagRangeStart, htmlTagRangeLength] = getHtmlTagRange(htmlTag, content, offset);
     if (htmlTagRangeStart >= 0) {
       offset = htmlTagRangeStart + htmlTagRangeLength;
-      elements.push(substring(content, htmlTagRangeStart, offset));
+      elements.push(StringPrototypeSubstring.call(content, htmlTagRangeStart, offset));
     }
   } while (htmlTagRangeStart >= 0);
 
@@ -69,7 +76,7 @@ function isHtmlContent(responseHeaders) {
   }
 
   // we may want to do a case-insensitive search through object keys here
-  const contentType = toLowerCase(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
+  const contentType = StringPrototypeToLowerCase.call(responseHeaders['Content-Type'] || responseHeaders['content-type'] || '');
 
   return (
     !contentType ||
@@ -88,7 +95,7 @@ function isParseableResponse(responseHeaders) {
   // we may want to do a case-insensitive search through object keys here
   let contentType =
     responseHeaders['Content-Type'] || responseHeaders['content-type'];
-  if (contentType) contentType = toLowerCase(contentType);
+  if (contentType) contentType = StringPrototypeToLowerCase.call(contentType);
 
   return (
     !contentType ||
@@ -123,7 +130,7 @@ function getAttribute(attribute, htmlTag = '') {
     }
   }
 
-  return substring(htmlTag, attrStart, attrEnd);
+  return StringPrototypeSubstring.call(htmlTag, attrStart, attrEnd);
 }
 
 /**
@@ -213,16 +220,16 @@ function checkCacheControlValue(value = '') {
     let noStore = false;
 
     value.forEach((directive) => {
-      if (toLowerCase(directive).includes('no-cache')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-cache')) {
         noCache = true;
       }
-      if (toLowerCase(directive).includes('no-store')) {
+      if (StringPrototypeToLowerCase.call(directive).includes('no-store')) {
         noStore = true;
       }
     });
     return [noCache, noStore];
   } else {
-    value = toLowerCase(value);
+    value = StringPrototypeToLowerCase.call(value);
     return [value.includes('no-cache'), value.includes('no-store')];
   }
 }
@@ -317,7 +324,7 @@ function formatSource({
   }
 
   data[`${key}Secure`] = isSecure;
-  data[`${key}Value`] = join(sources, ' ');
+  data[`${key}Value`] = ArrayPrototypeJoin.call(sources, ' ');
 }
 
 /**
@@ -325,8 +332,8 @@ function formatSource({
  */
 function policyParser(policy) {
   const result = {};
-  for (const directive of split(policy, ';')) {
-    const [directiveKey, ...directiveValue] = split(trim(directive), /\s+/g);
+  for (const directive of StringPrototypeSplit.call(policy, ';')) {
+    const [directiveKey, ...directiveValue] = StringPrototypeSplit.call(StringPrototypeTrim.call(directive), /\s+/g);
     if (
       directiveKey &&
       !Object.prototype.hasOwnProperty.call(result, directiveKey)

package/lib/response-scanning/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { split, substring, toLowerCase, trim } = require('@contrast/common');
+const { StringPrototypeSplit, StringPrototypeSubstring, StringPrototypeToLowerCase, StringPrototypeTrim } = require('@contrast/common');
 
 /**
  * @param {{
@@ -46,13 +46,13 @@ module.exports = function(core) {
 
   function parseHeaders(rawHeaders) {
     const headersToParse = rawHeaders || '';
-    const headersArray = split(headersToParse, '\r\n').filter(Boolean);
+    const headersArray = StringPrototypeSplit.call(headersToParse, '\r\n').filter(Boolean);
     return headersArray.reduce((acc, header) => {
       const idx = header.indexOf(':');
 
       if (idx > -1) {
-        const name = toLowerCase(substring(header, 0, idx));
-        const value = trim(substring(header, idx + 1));
+        const name = StringPrototypeToLowerCase.call(StringPrototypeSubstring.call(header, 0, idx));
+        const value = StringPrototypeTrim.call(StringPrototypeSubstring.call(header, idx + 1));
         const currentValue = acc[name];
         acc[name] = currentValue
           ? Array.isArray(currentValue)
@@ -67,25 +67,25 @@ module.exports = function(core) {
 
   const patchType = 'response-scanning';
 
-  function writeHookChecks(sourceContext, evaluationContext) {
+  function writeHookChecks(sourceContext, resHeaders, resBody) {
     // Check only the rules concerning the response body
-    handleAutoCompleteMissing(sourceContext, evaluationContext);
-    handleCacheControlsMissing(sourceContext, evaluationContext);
-    handleParameterPollution(sourceContext, evaluationContext);
-    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+    handleAutoCompleteMissing(sourceContext, resHeaders, resBody);
+    handleCacheControlsMissing(sourceContext, resHeaders, resBody);
+    handleParameterPollution(sourceContext, resBody);
+    handleXxsProtectionHeaderDisabled(sourceContext, resHeaders, resBody);
   }
 
-  function endHookChecks(sourceContext, evaluationContext) {
+  function endHookChecks(sourceContext, resHeaders, resBody) {
     // Check all the response scanning rules
-    handleAutoCompleteMissing(sourceContext, evaluationContext);
-    handleCacheControlsMissing(sourceContext, evaluationContext);
-    handleClickJackingControlsMissing(sourceContext, evaluationContext);
-    handleParameterPollution(sourceContext, evaluationContext);
-    handleCspHeader(sourceContext, evaluationContext);
-    handleHstsHeaderMissing(sourceContext, evaluationContext);
-    handleXPoweredByHeader(sourceContext, evaluationContext);
-    handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
-    handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
+    handleAutoCompleteMissing(sourceContext, resHeaders, resBody);
+    handleCacheControlsMissing(sourceContext, resHeaders, resBody);
+    handleClickJackingControlsMissing(sourceContext, resHeaders, resBody);
+    handleParameterPollution(sourceContext, resBody);
+    handleCspHeader(sourceContext, resHeaders);
+    handleHstsHeaderMissing(sourceContext, resHeaders);
+    handleXPoweredByHeader(sourceContext, resHeaders);
+    handleXContentTypeHeaderMissing(sourceContext, resHeaders);
+    handleXxsProtectionHeaderDisabled(sourceContext, resHeaders);
   }
 
   http.install = function() {
@@ -98,13 +98,7 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
-            const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
-              responseHeaders: parseHeaders(data.result._header),
-            };
-
-            writeHookChecks(sourceContext, evaluationContext);
+            writeHookChecks(sourceContext, parseHeaders(data.result._header), StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
@@ -116,20 +110,14 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
-            const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
-              responseHeaders: parseHeaders(data.result._header),
-            };
-
-            endHookChecks(sourceContext, evaluationContext);
+            endHookChecks(sourceContext, parseHeaders(data.result._header), StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
     });
 
     depHooks.resolve({ name: 'http2' }, (http2) => {
-      // Patching the response object
+      // todo: NODE-3467
       {
         const name = 'http2.Http2ServerResponse.prototype.write';
         patcher.patch(http2.Http2ServerResponse.prototype, 'write', {
@@ -138,14 +126,8 @@ module.exports = function(core) {
           post(data) {
             const sourceContext = getSourceContext();
             if (!sourceContext) return;
-
             const headersSymbol = Object.getOwnPropertySymbols(data.obj).find(symbol => symbol.toString().includes('headers'));
-            const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
-              responseHeaders: data.obj[headersSymbol],
-            };
-
-            writeHookChecks(sourceContext, evaluationContext);
+            writeHookChecks(sourceContext, data.obj[headersSymbol], StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
@@ -159,70 +141,24 @@ module.exports = function(core) {
             if (!sourceContext) return;
 
             const headersSymbol = Object.getOwnPropertySymbols(data.result).find(symbol => symbol.toString().includes('headers'));
-            const evaluationContext = {
-              responseBody: toLowerCase(data.args[0] || ''),
-              responseHeaders: data.result[headersSymbol],
-            };
-
-            endHookChecks(sourceContext, evaluationContext);
+            endHookChecks(sourceContext, data.result[headersSymbol], StringPrototypeToLowerCase.call(data.args[0] || ''));
           }
         });
       }
+    });
 
-      // patching the stream object
-      ['createServer', 'createSecureServer'].forEach((server) => {
-        patcher.patch(http2, server, {
-          name: `http2.${server}`,
-          patchType,
-          post(data) {
-            // The other option is once again to patch the `emit` method of the server
-            // similar to how we patch it for creating sources, but take action only on
-            // `stream` events. I chose the currentt approach because the hook will only
-            // run on a `stream` event instead of checking and returning on each `request`
-            // connect.
-            data.result._events = patcher.patch(data.result._events, 'stream', {
-              name: 'stream',
-              patchType: 'stream-patch',
-              pre(data) {
-                patcher.patch(data.args[0], 'write', {
-                  name: 'Http2Stream.write',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    writeHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-
-                patcher.patch(data.args[0], 'end', {
-                  name: 'Http2Stream.end',
-                  patchType,
-                  post(data) {
-                    const sourceContext = getSourceContext();
-                    if (!sourceContext) return;
-
-                    const evaluationContext = {
-                      responseBody: toLowerCase(data.args[0] || ''),
-                      responseHeaders: data.obj.sentHeaders,
-                    };
-
-                    endHookChecks(sourceContext, evaluationContext);
-                  }
-                });
-              }
-            });
-          }
-        });
+    depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => {
+      patcher.patch(response, 'end', {
+        name: 'spdy.response.end',
+        patchType: 'test',
+        post(data) {
+          const sourceContext = getSourceContext();
+          if (!sourceContext) return;
+          endHookChecks(sourceContext, data.obj.getHeaders?.(), StringPrototypeToLowerCase.call(data.args[0] || ''));
+        }
       });
     });
   };
 
   return http;
 };
-

package/lib/session-configuration/install/express-session.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -102,7 +102,7 @@ module.exports = function (core) {
                 name: 'http.setHeader',
                 patchType,
                 pre({ args: [key, value] }) {
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   if (checkForHTTPOnly) {
                     handleHttpOnly(sourceContext, value, sessionEvent);

package/lib/session-configuration/install/fastify-cookie.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { toLowerCase } = require('@contrast/common');
+const { StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../common');
 
 /**
@@ -82,7 +82,7 @@ module.exports = function (core) {
                 name: 'fastify.Reply.header',
                 pre(data) {
                   const [key, value] = data.args;
-                  if (toLowerCase(key) !== 'set-cookie') return;
+                  if (StringPrototypeToLowerCase.call(key) !== 'set-cookie') return;
 
                   const sourceContext = getSourceContext();
                   if (!sourceContext) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.28.1",
+  "version": "1.29.1",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,14 +11,14 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.18.0"
+    "node": ">= 16.9.1"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.0",
-    "@contrast/distringuish": "^4.4.0",
+    "@contrast/common": "1.21.2",
+    "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }
 }