@contrast/assess 1.33.1 → 1.35.0

package/lib/crypto-analysis/install/crypto.js

@@ -20,6 +20,7 @@ const {
   isString,
   StringPrototypeToLowerCase,
 } = require('@contrast/common');
+const semver = require('semver');
 const { InstrumentationType: { RULE } } = require('../../constants');
 const { PATCH_TYPE: patchType } = require('../common');
 
@@ -124,7 +125,10 @@ module.exports = function (core) {
           },
         });
 
-        for (const method of ['createCipher', 'createCipheriv']) {
+        // See NODE-3533 'createCipher' not included in Node 22+
+        const methods = ['createCipheriv'];
+        if (semver.lt(process.version, '22.0.0')) methods.push('createCipher');
+        for (const method of methods) {
           patcher.patch(_export, method, {
             name: `crypto.${method}`,
             patchType,

package/lib/crypto-analysis/install/crypto.test.js

@@ -1,7 +1,8 @@
 'use strict';
 
-const { expect } = require('chai');
 const sinon = require('sinon');
+const semver = require('semver');
+const { expect } = require('chai');
 const { Rule } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 const { initAssessFixture } = require('@contrast/test/fixtures');
@@ -93,10 +94,9 @@ describe('assess crypto-analysis node:crypto', function () {
     });
   });
 
-  [
-    'createCipher',
-    'createCipheriv'
-  ].forEach((method) => {
+  const methods = ['createCipheriv'];
+  if (semver.lt(process.version, '22.0.0')) methods.push('createCipher');
+  methods.forEach((method) => {
     describe(`crypto.${method}()`, function() {
       [
         'des-ede',

package/lib/dataflow/propagation/install/buffer.js

@@ -78,9 +78,11 @@ module.exports = function(core) {
         }
       });
 
+      const bufferFrom = 'global.Buffer.from';
+
       patcher.patch(global.Buffer, 'from', {
         patchType,
-        name,
+        name: bufferFrom,
         post(data) {
           const firstArg = data.args[0];
           const argType = isString(firstArg) ? 'string' : Buffer.isBuffer(firstArg) ? 'buffer' : null;
@@ -112,7 +114,7 @@ module.exports = function(core) {
               context: `Buffer.from(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
               object: { tracked: true, value: 'Buffer' },
               history: [trkInfo],
-              name,
+              name: bufferFrom,
               result: {
                 tracked: true,
                 value: args[0].value,

package/lib/dataflow/propagation/install/buffer.test.js

@@ -74,6 +74,9 @@ describe('assess dataflow propagation Buffer', function () {
       source: 'P0',
       target: 'R',
       tags: { UNTRUSTED: [0, 7] },
+      name: 'global.Buffer.from',
+      moduleName: 'Buffer',
+      methodName: 'from',
     };
 
     [

package/lib/dataflow/propagation/install/string/match-all.js

@@ -49,7 +49,7 @@ module.exports = function(core) {
       name,
       moduleName: 'String',
       methodName: 'prototype.matchAll',
-      context: `'${objInfo.value}'.matcAll(${arg})`,
+      context: `'${objInfo.value}'.matchAll(${arg})`,
       history: [objInfo],
       object: {
         value: objInfo.value,

package/lib/dataflow/sources/handler.js

@@ -63,7 +63,7 @@ module.exports = function (core) {
   };
 
   sources.createStacktrace = function (stacktraceOpts) {
-    return config.assess.stacktraces === 'NONE'
+    return config.assess.stacktraces === 'NONE' || config.assess.stacktraces === 'SINK'
       ? emptyStack
       : createSnapshot(stacktraceOpts)();
   };

package/lib/dataflow/sources/handler.test.js

@@ -139,6 +139,44 @@ describe('assess dataflow sources handler', function () {
       });
     });
 
+    ['SINK', 'NONE'].forEach((option) => {
+      it(`does not capture stacktrace for assess.stacktraces=${option}`, function() {
+        simulateRequestScope(() => {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          core.config.assess.stacktraces = option;
+          const trackedObj = sources.handle({
+            name: 'test-source-name',
+            inputType: InputType.QUERYSTRING,
+            data: { prop1: 'foo' },
+            sourceContext
+          });
+
+          const trackData = tracker.getData(trackedObj.prop1);
+          expect(trackData.stack).to.deep.equal([]);
+        });
+      });
+    });
+
+    ['SOME', 'ALL'].forEach((option) => {
+      it(`captures stacktrace for assess.stacktraces=${option}`, function() {
+        simulateRequestScope(() => {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          core.config.assess.stacktraces = option;
+          const trackedObj = sources.handle({
+            name: 'test-source-name',
+            inputType: InputType.QUERYSTRING,
+            data: { prop1: 'foo' },
+            sourceContext
+          });
+
+          const trackData = tracker.getData(trackedObj.prop1);
+          expect(trackData.stack).to.be.instanceOf(Array);
+          expect(trackData.stack.length).to.be.greaterThan(0);
+        });
+      });
+    });
+
+
     it('traverses objects and tracks string values', function () {
       simulateRequestScope(() => {
         const sourceContext = core.scopes.sources.getStore()?.assess;

package/lib/event-factory.test.js

@@ -199,14 +199,16 @@ testMethod('assess event-factory', function () {
       });
     });
 
-    it('returns an event without stacktrace generator function when stacktraces option is not set to "ALL"', function () {
-      core.config.assess.stacktraces = 'SOME';
-      core.scopes.sources.run(validStore, function () {
-        const result = createPropagationEvent(validData);
+    ['SOME', 'SINK', 'NONE'].forEach((option) => {
+      it(`returns an event without stacktrace generator function when stacktraces option is not set to "ALL" and set to ${option}`, function () {
+        core.config.assess.stacktraces = option;
+        core.scopes.sources.run(validStore, function () {
+          const result = createPropagationEvent(validData);
 
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.deep.equal([]);
+          expect(result).to.be.like(validResult);
+          expect(result.time).not.to.be.undefined;
+          expect(result.stack).to.deep.equal([]);
+        });
       });
     });
   });
@@ -296,14 +298,17 @@ testMethod('assess event-factory', function () {
       });
     });
 
-    it('returns an event with stacktrace generator function when stacktraces option is not set to "NONE"', function () {
-      core.config.assess.stacktraces = 'ALL';
-      core.scopes.sources.run(validStore, function () {
-        const result = createSinkEvent(validData);
+    ['ALL', 'SOME', 'SINK'].forEach((option) => {
+      it(`returns an event with stacktrace generator function when stacktraces option is not set to "NONE" and set to ${option}`, function () {
+        core.config.assess.stacktraces = option;
+        core.scopes.sources.run(validStore, function () {
+          const result = createSinkEvent(validData);
 
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.be.instanceOf(Array);
+          expect(result).to.be.like(validResult);
+          expect(result.time).not.to.be.undefined;
+          expect(result.stack).to.be.instanceOf(Array);
+          expect(result.stack.length).to.be.greaterThan(0);
+        });
       });
     });
 

package/lib/index.d.ts

@@ -12,17 +12,22 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-import { IncomingMessage, ServerResponse } from 'node:http';
-import {
-  Rule,
-  SessionConfigurationRule,
-} from '@contrast/common';
+import { Rule, SessionConfigurationRule } from '@contrast/common';
+import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';
+import { Deadzones } from '@contrast/deadzones';
+import { DepHooks } from '@contrast/dep-hooks';
+import { Logger } from '@contrast/logger';
+import { Patcher } from '@contrast/patcher';
+import { ReporterBus } from '@contrast/reporter';
+import { Rewriter } from '@contrast/rewriter';
+import { Scopes } from '@contrast/scopes';
+import { IncomingMessage, ServerResponse } from 'node:http';
 
 export interface Core extends _Core {
   config: Config;
   logger: Logger;
-  depHooks: RequireHook;
+  depHooks: DepHooks;
   patcher: Patcher
   rewriter: Rewriter;
   scopes: Scopes;

package/lib/response-scanning/handlers/index.js

@@ -197,14 +197,7 @@ module.exports = function(core) {
     const vulnerabilityMetadata = checkCspSources(cspHeaders);
 
     if (vulnerabilityMetadata.insecure) {
-      // We do this because TS API will expect these keys (although it is a typo)
-      // When they fix the API we can remove this
-      vulnerabilityMetadata.refererSecure = vulnerabilityMetadata.referrerSecure;
-      vulnerabilityMetadata.refererValue = vulnerabilityMetadata.referrerValue;
-
       delete vulnerabilityMetadata.insecure;
-      delete vulnerabilityMetadata.referrerSecure;
-      delete vulnerabilityMetadata.referrerValue;
 
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CSP_HEADER_INSECURE,

package/lib/response-scanning/handlers/index.test.js

@@ -251,8 +251,6 @@ describe('assess response scanning handlers', function () {
             data: JSON.stringify({
               defaultSrcSecure: true,
               defaultSrcValue: '"self"',
-              baseUriSecure: false,
-              baseUriValue: '',
               childSrcSecure: true,
               childSrcValue: '',
               connectSrcSecure: true,
@@ -267,16 +265,12 @@ describe('assess response scanning handlers', function () {
               scriptSrcValue: '',
               styleSrcSecure: true,
               styleSrcValue: '',
+              baseUriSecure: false,
+              baseUriValue: '',
               formActionSecure: true,
               formActionValue: '"foobar"',
               frameAncestorsSecure: true,
               frameAncestorsValue: '"foobar"',
-              pluginTypesSecure: true,
-              pluginTypesValue: '"foobar"',
-              reflectedXssSecure: true,
-              reflectedXssValue: '',
-              refererSecure: true,
-              refererValue: ''
             })
           }
         });

package/lib/response-scanning/handlers/utils.js

@@ -261,30 +261,8 @@ function isSourceSecure(sources) {
   );
 }
 
-/**
- * Evaluator for reflected-xss directive.  Checks if the value is not
- * equal to 1
- * Note: If empty it is secure
- * @param {Array} sources sources for a given csp directive
- * @return {Boolean} whether a directive is secure
- */
-function xssCheck(sources) {
-  return sources.every((source) => parseInt(source) === 1);
-}
-
-/**
- * Evaluator for referrer directive. Checks if value is not *
- * or contains unsafe-url
- * @param {Array} sources sources for a given csp directive
- * @return {Boolean} whether a directive is secure
- */
-function referrerCheck(sources) {
-  return sources.every((source) => !/unsafe-url|\*/.test(source));
-}
-
 const KNOWN_DIRECTIVES = [
   { name: 'default-src', camelCasedName: 'defaultSrc', evaluator: isSourceSecure },
-  { name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure },
   { name: 'child-src', camelCasedName: 'childSrc' },
   { name: 'connect-src', camelCasedName: 'connectSrc' },
   { name: 'frame-src', camelCasedName: 'frameSrc' },
@@ -292,11 +270,9 @@ const KNOWN_DIRECTIVES = [
   { name: 'object-src', camelCasedName: 'objectSrc' },
   { name: 'script-src', camelCasedName: 'scriptSrc' },
   { name: 'style-src', camelCasedName: 'styleSrc' },
+  { name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure },
   { name: 'form-action', camelCasedName: 'formAction', evaluator: isSourceSecure },
   { name: 'frame-ancestors', camelCasedName: 'frameAncestors', evaluator: isSourceSecure },
-  { name: 'plugin-types', camelCasedName: 'pluginTypes', evaluator: isSourceSecure },
-  { name: 'reflected-xss', camelCasedName: 'reflectedXss', evaluator: xssCheck },
-  { name: 'referrer', evaluator: referrerCheck }
 ];
 
 /**

package/lib/response-scanning/handlers/utils.test.js

@@ -298,12 +298,6 @@ describe('assess response scanning handlers utils', function() {
       mediaSrcValue: '',
       objectSrcSecure: false,
       objectSrcValue: '',
-      pluginTypesSecure: false,
-      pluginTypesValue: '',
-      referrerSecure: true,
-      referrerValue: '',
-      reflectedXssSecure: true,
-      reflectedXssValue: '',
       scriptSrcSecure: false,
       scriptSrcValue: '',
       styleSrcSecure: false,
@@ -366,9 +360,6 @@ describe('assess response scanning handlers utils', function() {
         policy: 'referrer *; reflected-xss 1;',
         expectedResult: {
           ...defaultValues,
-          reflectedXssValue: '1',
-          referrerSecure: false,
-          referrerValue: '*',
           insecure: true
         }
       },
@@ -376,8 +367,6 @@ describe('assess response scanning handlers utils', function() {
         policy: 'referrer unsafe-url',
         expectedResult: {
           ...defaultValues,
-          referrerSecure: false,
-          referrerValue: 'unsafe-url',
           insecure: true
         }
       },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.33.1",
+  "version": "1.35.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,15 +17,16 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.24.0",
-    "@contrast/config": "1.31.0",
-    "@contrast/core": "1.35.1",
-    "@contrast/dep-hooks": "1.3.4",
-    "@contrast/distringuish": "^5.0.0",
-    "@contrast/instrumentation": "1.13.1",
-    "@contrast/logger": "1.8.5",
-    "@contrast/patcher": "1.7.5",
-    "@contrast/rewriter": "1.11.1",
-    "@contrast/scopes": "1.4.2"
+    "@contrast/common": "1.25.0",
+    "@contrast/config": "1.33.0",
+    "@contrast/core": "1.37.0",
+    "@contrast/dep-hooks": "1.5.0",
+    "@contrast/distringuish": "^5.1.0",
+    "@contrast/instrumentation": "1.15.0",
+    "@contrast/logger": "1.10.0",
+    "@contrast/patcher": "1.9.0",
+    "@contrast/rewriter": "1.13.0",
+    "@contrast/scopes": "1.6.0",
+    "semver": "^7.6.0"
   }
 }