@contrast/assess 1.32.0 → 1.33.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/dataflow/tracker.js +7 -2
- package/lib/get-source-context.js +10 -1
- package/package.json +2 -2
package/lib/dataflow/tracker.js
CHANGED
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const distringuish = require('@contrast/distringuish');
|
|
19
|
-
const { isString } = require('@contrast/common');
|
|
19
|
+
const { BufferPrototypeToString, BufferFrom, isString } = require('@contrast/common');
|
|
20
20
|
|
|
21
21
|
module.exports = function tracker(core) {
|
|
22
22
|
const {
|
|
@@ -58,6 +58,11 @@ module.exports = function tracker(core) {
|
|
|
58
58
|
}
|
|
59
59
|
|
|
60
60
|
if (typeof value === 'string') {
|
|
61
|
+
// todo: don't track string representations of numbers
|
|
62
|
+
// if (!isNaN(+value)) {
|
|
63
|
+
// return { extern: null };
|
|
64
|
+
// }
|
|
65
|
+
|
|
61
66
|
if (distringuish.getProperties(value)) {
|
|
62
67
|
const err = new Error();
|
|
63
68
|
logger.error({ err, value }, 'tracker.track called with a string value that is already tracked');
|
|
@@ -68,7 +73,7 @@ module.exports = function tracker(core) {
|
|
|
68
73
|
|
|
69
74
|
if (extern == 2) {
|
|
70
75
|
// Try work-around for some wrong/unknown encoding
|
|
71
|
-
extern = distringuish.externalize(
|
|
76
|
+
extern = distringuish.externalize(BufferPrototypeToString.call(BufferFrom(value)));
|
|
72
77
|
}
|
|
73
78
|
|
|
74
79
|
if (!extern || !isString(extern)) {
|
|
@@ -37,9 +37,18 @@ module.exports = function(core) {
|
|
|
37
37
|
*/
|
|
38
38
|
return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
|
|
39
39
|
const ctx = sources.getStore()?.assess;
|
|
40
|
-
|
|
40
|
+
// <unsafe>
|
|
41
|
+
// This method is expected to be called by all Assess instrumentation components prior to doing work.
|
|
42
|
+
// Until we check policy, and whether instrumentation is locked, any instrumentation that is called before
|
|
43
|
+
// the </unsafe> section below will result in infinite recursion.
|
|
44
|
+
//
|
|
45
|
+
// E.g. Uncommenting any line below will cause a stack overflow:
|
|
46
|
+
// 'asdf'.concat()
|
|
47
|
+
// console.log() // even though this is deadzoned, we haven't checked whether instrumentation is locked yet
|
|
48
|
+
//
|
|
41
49
|
// policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
|
|
42
50
|
if (!ctx?.policy || instrumentation.isLocked()) return null;
|
|
51
|
+
// </unsafe> but still be careful
|
|
43
52
|
|
|
44
53
|
switch (type) {
|
|
45
54
|
case InstrumentationType.PROPAGATOR: {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/assess",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.33.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Assess support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
"test": "../scripts/test.sh"
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
|
-
"@contrast/common": "1.
|
|
20
|
+
"@contrast/common": "1.24.0",
|
|
21
21
|
"@contrast/distringuish": "^5.0.0",
|
|
22
22
|
"@contrast/scopes": "1.4.1"
|
|
23
23
|
}
|