@contrast/assess 1.32.0 → 1.33.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -34,6 +34,7 @@ module.exports = function(core) {
|
|
|
34
34
|
require('./install/encode-uri')(core);
|
|
35
35
|
require('./install/escape-html')(core);
|
|
36
36
|
require('./install/escape')(core);
|
|
37
|
+
require('./install/fastify-send')(core);
|
|
37
38
|
require('./install/handlebars-utils-escape-expression')(core);
|
|
38
39
|
require('./install/isnumeric-0')(core);
|
|
39
40
|
require('./install/mustache-escape')(core);
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright: 2024 Contrast Security, Inc
|
|
3
|
+
* Contact: support@contrastsecurity.com
|
|
4
|
+
* License: Commercial
|
|
5
|
+
|
|
6
|
+
* NOTICE: This Software and the patented inventions embodied within may only be
|
|
7
|
+
* used as part of Contrast Security’s commercial offerings. Even though it is
|
|
8
|
+
* made available through public repositories, use of this Software is subject to
|
|
9
|
+
* the applicable End User Licensing Agreement found at
|
|
10
|
+
* https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
|
|
11
|
+
* between Contrast Security and the End User. The Software may not be reverse
|
|
12
|
+
* engineered, modified, repackaged, sold, redistributed or otherwise used in a
|
|
13
|
+
* way not consistent with the End User License Agreement.
|
|
14
|
+
*/
|
|
15
|
+
'use strict';
|
|
16
|
+
|
|
17
|
+
const { patchType } = require('../common');
|
|
18
|
+
const { StringPrototypeSlice } = require('@contrast/common');
|
|
19
|
+
|
|
20
|
+
module.exports = function (core) {
|
|
21
|
+
const {
|
|
22
|
+
depHooks,
|
|
23
|
+
patcher,
|
|
24
|
+
scopes: { sources, instrumentation },
|
|
25
|
+
} = core;
|
|
26
|
+
|
|
27
|
+
return core.assess.dataflow.propagation.fastifySend = {
|
|
28
|
+
install() {
|
|
29
|
+
depHooks.resolve({ name: '@fastify/send', file: 'lib/SendStream.js' }, (_SendStream) => {
|
|
30
|
+
patcher.patch(_SendStream.prototype, 'sendFile', {
|
|
31
|
+
name: '@fastify/send/lib/SendStream.js',
|
|
32
|
+
patchType,
|
|
33
|
+
pre(data) {
|
|
34
|
+
const { args } = data;
|
|
35
|
+
|
|
36
|
+
if (!sources.getStore()?.assess || instrumentation.isLocked()) {
|
|
37
|
+
return;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
|
|
41
|
+
args[0] = untrackedPath;
|
|
42
|
+
},
|
|
43
|
+
});
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
};
|
|
47
|
+
};
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const { expect } = require('chai');
|
|
4
|
+
const sinon = require('sinon');
|
|
5
|
+
const { initAssessFixture } = require('../../../../../test/fixtures');
|
|
6
|
+
|
|
7
|
+
describe('assess @fastify/send', function() {
|
|
8
|
+
let core, simulateRequestScope, sendFileStub, SendStreamMock, trackString, tracker;
|
|
9
|
+
|
|
10
|
+
beforeEach(function() {
|
|
11
|
+
({
|
|
12
|
+
core,
|
|
13
|
+
simulateRequestScope,
|
|
14
|
+
trackString
|
|
15
|
+
} = initAssessFixture());
|
|
16
|
+
tracker = core.assess.dataflow.tracker;
|
|
17
|
+
core.assess.dataflow.propagation.fastifySend.install();
|
|
18
|
+
|
|
19
|
+
sendFileStub = sinon.stub();
|
|
20
|
+
SendStreamMock = class SendStream {
|
|
21
|
+
sendFile(path) {
|
|
22
|
+
sendFileStub(path);
|
|
23
|
+
}
|
|
24
|
+
};
|
|
25
|
+
core.depHooks.resolve
|
|
26
|
+
.withArgs({ name: '@fastify/send', file: 'lib/SendStream.js' })
|
|
27
|
+
.yield(SendStreamMock);
|
|
28
|
+
});
|
|
29
|
+
|
|
30
|
+
afterEach(function() {
|
|
31
|
+
sinon.resetHistory();
|
|
32
|
+
});
|
|
33
|
+
|
|
34
|
+
it('should create an untagged copy of the string to pass to original sendFile', function() {
|
|
35
|
+
simulateRequestScope(() => {
|
|
36
|
+
const path = trackString('foo');
|
|
37
|
+
const s = new SendStreamMock();
|
|
38
|
+
s.sendFile(path);
|
|
39
|
+
|
|
40
|
+
expect(sendFileStub).to.have.been.calledWith(path);
|
|
41
|
+
expect(tracker.getData(sendFileStub.getCall(0).firstArg)).to.be.null;
|
|
42
|
+
});
|
|
43
|
+
});
|
|
44
|
+
});
|
package/lib/dataflow/tracker.js
CHANGED
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const distringuish = require('@contrast/distringuish');
|
|
19
|
-
const { isString } = require('@contrast/common');
|
|
19
|
+
const { BufferPrototypeToString, BufferFrom, isString } = require('@contrast/common');
|
|
20
20
|
|
|
21
21
|
module.exports = function tracker(core) {
|
|
22
22
|
const {
|
|
@@ -58,6 +58,11 @@ module.exports = function tracker(core) {
|
|
|
58
58
|
}
|
|
59
59
|
|
|
60
60
|
if (typeof value === 'string') {
|
|
61
|
+
// todo: don't track string representations of numbers
|
|
62
|
+
// if (!isNaN(+value)) {
|
|
63
|
+
// return { extern: null };
|
|
64
|
+
// }
|
|
65
|
+
|
|
61
66
|
if (distringuish.getProperties(value)) {
|
|
62
67
|
const err = new Error();
|
|
63
68
|
logger.error({ err, value }, 'tracker.track called with a string value that is already tracked');
|
|
@@ -68,7 +73,7 @@ module.exports = function tracker(core) {
|
|
|
68
73
|
|
|
69
74
|
if (extern == 2) {
|
|
70
75
|
// Try work-around for some wrong/unknown encoding
|
|
71
|
-
extern = distringuish.externalize(
|
|
76
|
+
extern = distringuish.externalize(BufferPrototypeToString.call(BufferFrom(value)));
|
|
72
77
|
}
|
|
73
78
|
|
|
74
79
|
if (!extern || !isString(extern)) {
|
|
@@ -37,9 +37,18 @@ module.exports = function(core) {
|
|
|
37
37
|
*/
|
|
38
38
|
return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
|
|
39
39
|
const ctx = sources.getStore()?.assess;
|
|
40
|
-
|
|
40
|
+
// <unsafe>
|
|
41
|
+
// This method is expected to be called by all Assess instrumentation components prior to doing work.
|
|
42
|
+
// Until we check policy, and whether instrumentation is locked, any instrumentation that is called before
|
|
43
|
+
// the </unsafe> section below will result in infinite recursion.
|
|
44
|
+
//
|
|
45
|
+
// E.g. Uncommenting any line below will cause a stack overflow:
|
|
46
|
+
// 'asdf'.concat()
|
|
47
|
+
// console.log() // even though this is deadzoned, we haven't checked whether instrumentation is locked yet
|
|
48
|
+
//
|
|
41
49
|
// policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
|
|
42
50
|
if (!ctx?.policy || instrumentation.isLocked()) return null;
|
|
51
|
+
// </unsafe> but still be careful
|
|
43
52
|
|
|
44
53
|
switch (type) {
|
|
45
54
|
case InstrumentationType.PROPAGATOR: {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/assess",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.33.1",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Assess support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -17,8 +17,15 @@
|
|
|
17
17
|
"test": "../scripts/test.sh"
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
|
-
"@contrast/common": "1.
|
|
20
|
+
"@contrast/common": "1.24.0",
|
|
21
|
+
"@contrast/config": "1.31.0",
|
|
22
|
+
"@contrast/core": "1.35.1",
|
|
23
|
+
"@contrast/dep-hooks": "1.3.4",
|
|
21
24
|
"@contrast/distringuish": "^5.0.0",
|
|
22
|
-
"@contrast/
|
|
25
|
+
"@contrast/instrumentation": "1.13.1",
|
|
26
|
+
"@contrast/logger": "1.8.5",
|
|
27
|
+
"@contrast/patcher": "1.7.5",
|
|
28
|
+
"@contrast/rewriter": "1.11.1",
|
|
29
|
+
"@contrast/scopes": "1.4.2"
|
|
23
30
|
}
|
|
24
31
|
}
|