npm - @contrast/assess - Versions diffs - 1.34.0 → 1.36.0 - Mend

@contrast/assess 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/lib/crypto-analysis/install/crypto.js CHANGED Viewed

@@ -18,7 +18,7 @@
 const {
   Rule,
   isString,
-  StringPrototypeToLowerCase,
+  primordials: { StringPrototypeToLowerCase },
 } = require('@contrast/common');
 const semver = require('semver');
 const { InstrumentationType: { RULE } } = require('../../constants');

package/lib/dataflow/propagation/install/JSON/parse-fn.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { StringPrototypeTrim } = require('@contrast/common');
+const { primordials: { StringPrototypeTrim } } = require('@contrast/common');
 function isNumber(value) {
   return !isNaN(value);

package/lib/dataflow/propagation/install/JSON/parse.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const { getKeyValueIndices } = require('./parse-fn');
@@ -47,9 +48,9 @@ const applyValuesToObject = (object, stack) => {
 module.exports = function (core) {
   const {
     logger,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -100,7 +101,7 @@ module.exports = function (core) {
         name: 'JSON.parse',
         patchType,
         pre(data) {
-          if (!data.args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!data.args[0] || !getSourceContext(PROPAGATOR)) return;
           const [input, reviver] = data.args;
           const strInfo = tracker.getData(input);

package/lib/dataflow/propagation/install/JSON/parse.test.js CHANGED Viewed

@@ -123,7 +123,7 @@ describe('assess dataflow propagation JSON parse', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const trackedString = trackString('foo');
       const string = JSON.stringify({ prop: trackedString });
@@ -131,7 +131,7 @@ describe('assess dataflow propagation JSON parse', function () {
       expect(result.prop).to.be.equal('foo');
       expect(tracker.getData(result.prop)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('should ignore empty string', function () {

package/lib/dataflow/propagation/install/JSON/stringify.js CHANGED Viewed

@@ -17,13 +17,16 @@
 const {
   isString,
-  ArrayPrototypeSlice,
-  StringPrototypeReplace,
-  StringPrototypeMatch,
-  StringPrototypeMatchAll,
-  StringPrototypeSlice,
+  primordials: {
+    ArrayPrototypeSlice,
+    StringPrototypeReplace,
+    StringPrototypeMatch,
+    StringPrototypeMatchAll,
+    StringPrototypeSlice,
+  }
 } = require('@contrast/common');
 const crypto = require('crypto');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -78,9 +81,9 @@ function patchReplacer(replacer) {
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -92,8 +95,6 @@ module.exports = function(core) {
     if (!isString(space) || StringPrototypeMatch.call(space, /^\s+$/) || !space) {
       return null;
     }
     const props = tracker.getData(StringPrototypeSlice.call(space, 0, 10));
     if (!props || !Object.keys(props.tags).length) {
       return null;
@@ -165,7 +166,7 @@ module.exports = function(core) {
         name: 'JSON.stringify',
         patchType,
         pre(data) {
-          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!getSourceContext(PROPAGATOR)) return;
           const [input, , space] = data.args;
           let [, replacer] = data.args;
@@ -222,7 +223,7 @@ module.exports = function(core) {
           data.args = [input, contrastReplacer, space];
         },
         post(data) {
-          if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!getSourceContext(PROPAGATOR)) return;
           let tags = {};
           const vulnerableSources = [];
           if (!data.metadata?.propagate) {

package/lib/dataflow/propagation/install/JSON/stringify.test.js CHANGED Viewed

@@ -3,7 +3,7 @@
 const { expect } = require('chai');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 const {
-  UtilInspect,
+  primordials: { UtilInspect },
   DataflowTag: { UNTRUSTED },
 } = require('@contrast/common');
 const origStringify = JSON.stringify;
@@ -80,12 +80,12 @@ describe('assess dataflow propagation JSON stringify', function () {
     });
   });
-  it('results in an untracked string when there is no Assess scope', function () {
+  it('results in an untracked string when there is no Assess policy in request scope', function () {
     simulateRequestScope(() => {
       const ret = JSON.stringify(objWithTrackedStr);
       expect(ret).to.equal(origStringify(objWithTrackedStr));
       expect(tracker.getData(ret)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('results in an untracked string when instrumentation is locked', function () {

package/lib/dataflow/propagation/install/array-prototype-join.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { isString, ArrayPrototypeJoin, UtilInspect } = require('@contrast/common');
+const { isString, primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -24,6 +24,7 @@ module.exports = function(core) {
   const {
     patcher,
     assess: {
+      inspect,
       getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
@@ -70,7 +71,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args: origArgs, obj, result, hooked, orig } = data;
-          if (!result || !(getSourceContext(PROPAGATOR))) return;
+          if (!result || !getSourceContext(PROPAGATOR)) return;
           const resultInfo = tracker.getData(result);
           const delimiter = origArgs[0] === undefined ? ',' : origArgs[0];
@@ -93,7 +94,7 @@ module.exports = function(core) {
               name,
               moduleName: 'Array',
               methodName: 'prototype.join',
-              context: `${object.value}.join('${UtilInspect(args[0].value) || ''})`,
+              context: `${object.value}.join('${inspect(args[0].value) || ''})`,
               object,
               result: {
                 value: resultInfo ? resultInfo.value : result,

package/lib/dataflow/propagation/install/array-prototype-join.test.js CHANGED Viewed

@@ -62,7 +62,7 @@ describe('assess dataflow propagation array join', function () {
     });
   });
-  it('propagates correclty nested arrays', function () {
+  it('propagates correctly nested arrays', function () {
     simulateRequestScope(function () {
       const str = trackString('tracked', { tags: { untrusted: [0, 6] } });
       const arr = [
@@ -86,12 +86,12 @@ describe('assess dataflow propagation array join', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in source context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = ['not-tracked', value].join();
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/buffer.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { isString, ArrayPrototypeJoin, StringPrototypeSubstring } = require('@contrast/common');
+const { isString, primordials: { ArrayPrototypeJoin, StringPrototypeSubstring, BufferPrototypeToString } } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { getAdjustedUntrackedValue } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -32,7 +32,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.bufferInstrumentation = {
     install() {
       const name = 'global.Buffer.prototype.toString';
-      const bufferToString = patcher.unwrap(Buffer.prototype.toString);
       patcher.patch(global.Buffer.prototype, 'toString', {
         patchType,
@@ -99,7 +98,7 @@ module.exports = function(core) {
           if (trkInfo) {
             const args = data.args.map((arg, i) => {
               if (i == 0) {
-                const value = argType == 'string' ? arg : bufferToString.call(arg);
+                const value = argType == 'string' ? arg : BufferPrototypeToString.call(arg);
                 // todo (NODE-3455): make sure tag ranges are included in substring
                 return { tracked: true, value: StringPrototypeSubstring.call(value, 0, 50) };
               } else {

package/lib/dataflow/propagation/install/contrast-methods/tag.test.js CHANGED Viewed

@@ -135,11 +135,11 @@ describe('assess dataflow propagation contrast-methods tag', function () {
     });
   });
-  it('does not propagate if not in proper scope', function () {
+  it('does not propagate if no assess policy in request store', function () {
     simulateRequestScope(() => {
       const result = global.ContrastMethods.tag(['', ''], trackString('bar'));
       const data = tracker.getData(result);
       expect(data).to.be.null;
-    }, null);
+    }, { assess: { policy: null } });
   });
 });

package/lib/dataflow/propagation/install/decode-uri-component.js CHANGED Viewed

@@ -15,19 +15,16 @@
 'use strict';
-const {
-  DataflowTag: { URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createObjectLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +39,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
-          if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
           const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/decode-uri-component.test.js CHANGED Viewed

@@ -63,7 +63,7 @@ describe('assess dataflow propagation decodeURIComponent', function () {
       const value = trackString('%3Ftest%3Dstr');
       const result = decodeURIComponent(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/ejs/escape-xml.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { WEAK_URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../../tag-utils');
+const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -36,14 +33,14 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.ejsInstrumentation.escapeXML = {
     install() {
-      depHooks.resolve({ name: 'ejs', file: 'lib/utils.js', version: '>=2.6.2' }, (ejsUtils, version) => {
+      depHooks.resolve({ name: 'ejs', file: 'lib/utils.js', version: '>=2.6.2' }, (ejsUtils) => {
         const name = 'ejs.utils.escapeXML';
         patcher.patch(ejsUtils, 'escapeXML', {
           name,
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/ejs/escape-xml.test.js CHANGED Viewed

@@ -49,12 +49,12 @@ describe('assess dataflow propagation ejs.utils.escapeXML', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = mockEjsUtils.escapeXML(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/ejs/template.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const { EOL } = require('os');
-const { ArrayPrototypeJoin } = require('@contrast/common');
+const { primordials: { ArrayPrototypeJoin, StringPrototypeSubstring } } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
@@ -65,7 +65,7 @@ module.exports = function (core) {
             try {
               const { code } = rewriter.rewriteSync(`${WRAPPER_PREFIX}${data.obj.source}${WRAPPER_SUFFIX}`, REWRITE_OPTS);
-              data.obj.source = code.substring(code.indexOf('{') + 1, code.lastIndexOf('}'));
+              data.obj.source = StringPrototypeSubstring.call(code, code.indexOf('{') + 1, code.lastIndexOf('}'));
             } catch (err) {
               logger.error(
                 { err, funcKey: data.funcKey, source: data.obj.source },

package/lib/dataflow/propagation/install/encode-uri.js CHANGED Viewed

@@ -18,16 +18,15 @@
 const {
   DataflowTag: { URL_ENCODED, WEAK_URL_ENCODED }
 } = require('@contrast/common');
-const {
-  createEscapeTagRanges
-} = require('../../tag-utils');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createEscapeTagRanges } = require('../../tag-utils');
 const { patchType, createObjectLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -35,7 +34,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.encodeURI = {
     install() {
       [
         {
           methodName: 'encodeURIComponent',
@@ -52,7 +50,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/encode-uri.test.js CHANGED Viewed

@@ -27,12 +27,12 @@ describe('assess dataflow propagation encodeURI, encodeURIComponent', function (
     sinon.resetHistory();
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('?test=str');
       const result = encodeURIComponent(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/escape-html.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED }
-} = require('@contrast/common');
-const {
-  createEscapeTagRanges
-} = require('../../tag-utils');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createEscapeTagRanges } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -44,7 +41,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/escape-html.test.js CHANGED Viewed

@@ -28,12 +28,12 @@ describe('assess dataflow propagation escape-html', function () {
     sinon.resetHistory();
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('<script>alert("hello");</script>');
       const result = patchedEscapeHtml(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {
@@ -51,7 +51,7 @@ describe('assess dataflow propagation escape-html', function () {
       const value = '<script>alert("hello");</script>';
       const result = patchedEscapeHtml(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    });
   });

package/lib/dataflow/propagation/install/escape.js CHANGED Viewed

@@ -15,19 +15,16 @@
 'use strict';
-const {
-  DataflowTag: { WEAK_URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createObjectLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +39,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
-          if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
           const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/escape.test.js CHANGED Viewed

@@ -53,12 +53,12 @@ describe('assess dataflow propagation escape', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('?test=str');
       const result = escape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/fastify-send.js CHANGED Viewed

@@ -14,14 +14,14 @@
  */
 'use strict';
+const { primordials: { StringPrototypeSlice } } = require('@contrast/common');
 const { patchType } = require('../common');
-const { StringPrototypeSlice } = require('@contrast/common');
 module.exports = function (core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
+    assess: { getSourceContext }
   } = core;
   return core.assess.dataflow.propagation.fastifySend = {
@@ -33,9 +33,7 @@ module.exports = function (core) {
           pre(data) {
             const { args } = data;
-            if (!sources.getStore()?.assess || instrumentation.isLocked()) {
-              return;
-            }
+            if (!getSourceContext()) return;
             const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
             args[0] = untrackedPath;

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -36,7 +33,7 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.handlebarsEscapeExpression = {
     install() {
-      depHooks.resolve({ name: 'handlebars', version: '>=4.0.0' }, (handlebars, version) => {
+      depHooks.resolve({ name: 'handlebars', version: '>=4.0.0' }, (handlebars) => {
         const name = 'handlebars.Utils.escapeExpression';
         patcher.patch(handlebars.Utils, 'escapeExpression', {
@@ -44,7 +41,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.test.js CHANGED Viewed

@@ -56,7 +56,7 @@ describe('assess dataflow propagation handlebars.Utils.escapeExpression', functi
       const value = trackString('foo');
       const result = mockHandlebars.Utils.escapeExpression(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {