npm - @contrast/assess - Versions diffs - 1.34.0 → 1.36.0 - Mend

@contrast/assess 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/lib/dataflow/propagation/install/joi/values.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const {
-  isNonEmptyObject, isString, traverseValues, ArrayPrototypeJoin
+  isNonEmptyObject, isString, traverseValues, primordials: { ArrayPrototypeJoin }
 } = require('@contrast/common');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -24,9 +24,9 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     depHooks,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
@@ -46,8 +46,7 @@ module.exports = function(core) {
         if (
           !value ||
           !result ||
-          !sources.getStore()?.assess ||
-          instrumentation.isLocked()
+          !getSourceContext()
         ) return;
         const metadata = {
@@ -56,7 +55,6 @@ module.exports = function(core) {
           orig: data.orig
         };
         if (result.ref) {
           const targetAbsolutePath = ArrayPrototypeJoin.call(result.ref.absolute(state), '.');
@@ -143,13 +141,13 @@ module.exports = function(core) {
     }
   }
-  return (core.assess.dataflow.propagation.joiInstrumentation.values = {
+  return core.assess.dataflow.propagation.joiInstrumentation.values = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/values.js', version: '>=17.0.0' },
         instrumentJoiValues
       );
     },
-  });
+  };
 };

package/lib/dataflow/propagation/install/mongoose/schema-map.js CHANGED Viewed

@@ -13,17 +13,18 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
+const { traverseValues, DataflowTag, primordials: { StringPrototypeSubstring } } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
-const { traverseValues, DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
 module.exports = function (core) {
   const {
     config: { assess },
-    scopes: { sources },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker,
@@ -107,7 +108,7 @@ module.exports = function (core) {
           name: doValidateSyncName,
           patchType,
           post: (data) => {
-            if (!assess.trust_custom_validators || data.result || !sources.getStore()?.assess) return;
+            if (!assess.trust_custom_validators || data.result || !getSourceContext()) return;
             mapInstrumentation(data, doValidateSyncName);
           },
@@ -125,7 +126,7 @@ module.exports = function (core) {
             if (
               !value ||
               typeof cb !== 'function' ||
-              !sources.getStore()?.assess
+              !getSourceContext()
             ) {
               return;
             }

package/lib/dataflow/propagation/install/mongoose/schema-map.test.js CHANGED Viewed

@@ -107,7 +107,7 @@ describe('assess dataflow propagation mongoose.MapSchema', function () {
     });
   });
-  it('SchemaMap.doValidateSync skip instrumentation if there is no assess scope', function () {
+  it('SchemaMap.doValidateSync skip instrumentation if there is no assess policy in request scope', function () {
     simulateRequestScope(function () {
       const str = trackString('error');
@@ -115,7 +115,7 @@ describe('assess dataflow propagation mongoose.MapSchema', function () {
       const strInfo = tracker.getData(str);
       expect(strInfo).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('SchemaMap.doValidateSync skip instrumentation if there is no custom validator', function () {
@@ -261,7 +261,7 @@ describe('assess dataflow propagation mongoose.MapSchema', function () {
     });
   });
-  it('SchemaMap.doValidate skip instrumentation if there is no assess scope', function () {
+  it('SchemaMap.doValidate skip instrumentation if there is no assess policy in request scope', function () {
     simulateRequestScope(function () {
       const str = trackString('foo');
@@ -269,7 +269,7 @@ describe('assess dataflow propagation mongoose.MapSchema', function () {
       const strInfo = tracker.getData(str);
       expect(strInfo).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('SchemaMap.doValidate skip instrumentation if there is a validation error', function () {

package/lib/dataflow/propagation/install/mongoose/schema-mixed.js CHANGED Viewed

@@ -13,17 +13,18 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
+const { traverseValues, DataflowTag, primordials: { StringPrototypeSubstring } } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
-const { traverseValues, DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
 module.exports = function (core) {
   const {
     config: { assess },
-    scopes: { sources },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker,
@@ -119,7 +120,7 @@ module.exports = function (core) {
             if (
               !assess.trust_custom_validators ||
               data.result ||
-              !sources.getStore()?.assess
+              !getSourceContext()
             ) {
               return;
             }
@@ -134,7 +135,7 @@ module.exports = function (core) {
           name: doValidateName,
           patchType,
           pre: (data) => {
-            if (!assess.trust_custom_validators || !sources.getStore()?.assess) {
+            if (!assess.trust_custom_validators || !getSourceContext()) {
               return;
             }

package/lib/dataflow/propagation/install/mongoose/schema-mixed.test.js CHANGED Viewed

@@ -110,7 +110,7 @@ describe('assess dataflow propagation mongoose.MixedSchema', function () {
     });
   });
-  it('SchemaMixed.doValidateSync skip instrumentation if there is no assess scope', function () {
+  it('SchemaMixed.doValidateSync skip instrumentation if there is no assess policy in request scope', function () {
     simulateRequestScope(function () {
       const str = trackString('error');
@@ -118,7 +118,7 @@ describe('assess dataflow propagation mongoose.MixedSchema', function () {
       const strInfo = tracker.getData(str);
       expect(strInfo).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('SchemaMixed.doValidateSync skip instrumentation if there is no custom validator', function () {
@@ -147,7 +147,6 @@ describe('assess dataflow propagation mongoose.MixedSchema', function () {
           value: 'foo',
         },
         value: 'foo',
       });
     });
   });
@@ -355,7 +354,7 @@ describe('assess dataflow propagation mongoose.MixedSchema', function () {
     });
   });
-  it('SchemaMixed.doValidate skip instrumentation if there is no assess scope', function () {
+  it('SchemaMixed.doValidate skip instrumentation if there is no assess policy in request scope', function () {
     simulateRequestScope(function () {
       const str = trackString('foo');
@@ -363,7 +362,7 @@ describe('assess dataflow propagation mongoose.MixedSchema', function () {
       const strInfo = tracker.getData(str);
       expect(strInfo).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('SchemaMixed.doValidate skip instrumentation if there is a validation error', function () {

package/lib/dataflow/propagation/install/mongoose/schema-string.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { DataflowTag, StringPrototypeSubstring } = require('@contrast/common');
+const { DataflowTag, primordials: { StringPrototypeSubstring } } = require('@contrast/common');
 const { patchType } = require('../../common');
 const { userDefinedType } = require('./common');
@@ -28,6 +28,7 @@ module.exports = function (core) {
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -70,9 +71,7 @@ module.exports = function (core) {
       patchType,
       pre(data) {
         const [value, cb] = data.args;
-        if (!value || typeof cb !== 'function' || !sources.getStore()?.assess) {
-          return;
-        }
+        if (!value || typeof cb !== 'function' || !getSourceContext()) return;
         const hasCustomValidator = data.obj.validators.some(
           (validator) => validator.type === userDefinedType

package/lib/dataflow/propagation/install/mustache-escape.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED }
-} = require('@contrast/common');
-const {
-  createEscapeTagRanges
-} = require('../../tag-utils');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createEscapeTagRanges } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -44,7 +41,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/mustache-escape.test.js CHANGED Viewed

@@ -27,12 +27,12 @@ describe('assess dataflow propagation mustache.escape', function () {
     sinon.resetHistory();
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('<script>alert("hello");</script>');
       const result = mustache.escape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/mysql-connection-escape.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { SQL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { SQL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createModuleLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -37,7 +34,7 @@ module.exports = function(core) {
   function createPostHook(eventName, objectValue) {
     return function(data) {
       const { args, result, hooked, orig } = data;
-      if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+      if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
       const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/mysql-connection-escape.test.js CHANGED Viewed

@@ -52,13 +52,13 @@ describe('assess dataflow propagation mysql.connection.escape', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const connection = new mockConnection();
       const result = connection.escape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/parse-int.js CHANGED Viewed

@@ -16,14 +16,15 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { patchType } = require('../common');
 module.exports = function (core) {
   const {
     logger,
-    scopes: { instrumentation, sources },
     patcher,
     assess: {
+      getSourceContext,
       dataflow: { tracker }
     }
   } = core;
@@ -41,8 +42,7 @@ module.exports = function (core) {
             isNaN(result) ||
             !value ||
             !isString(value) ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked() ||
+            !getSourceContext(PROPAGATOR) ||
             !tracker.getData(value)
           ) return;

package/lib/dataflow/propagation/install/path/basename.js CHANGED Viewed

@@ -14,19 +14,18 @@
  */
 'use strict';
-const { isString, ArrayPrototypeJoin } = require('@contrast/common');
+const { isString, primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
-const {
-  excludeExtensionDotFromTags,
-  createBasenameTagsInResult,
-} = require('./common');
+const { excludeExtensionDotFromTags, createBasenameTagsInResult } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -43,12 +42,8 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args: origArgs, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const [pathStr, suffixStr] = origArgs;

package/lib/dataflow/propagation/install/path/basename.test.js CHANGED Viewed

@@ -44,13 +44,13 @@ describe('assess dataflow propagation path basename', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const myPath = trackString('/script.sh');
           const result = path.basename(myPath);
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/common.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { StringPrototypeMatchAll, StringPrototypeSubstring, StringPrototypeReplace } = require('@contrast/common');
+const { primordials: { StringPrototypeMatchAll, StringPrototypeSubstring, StringPrototypeReplace } } = require('@contrast/common');
 const {
   createSubsetTags,
   createAppendTags,
@@ -86,7 +86,7 @@ function createArgTagsInResult({
     let { index: startIdx } = matchedSegments[i];
     if (
       ['.', '..'].includes(segment) &&
-      result.substring(lastIndex - segment.length, lastIndex + 1) !== segment
+      StringPrototypeSubstring.call(result, lastIndex - segment.length, lastIndex + 1) !== segment
     )
       continue;
     let idxInResult = result.lastIndexOf(segment, lastIndex);

package/lib/dataflow/propagation/install/path/dirname.js CHANGED Viewed

@@ -15,17 +15,16 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
-const {
-  createArgTagsInResult
-} = require('./common');
+const { createArgTagsInResult } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -42,12 +41,8 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const pathStr = args[0];

package/lib/dataflow/propagation/install/path/dirname.test.js CHANGED Viewed

@@ -41,14 +41,14 @@ describe('assess dataflow propagation path dirname', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const myPath = trackString('/path');
           const result = path.dirname(myPath);
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/extname.js CHANGED Viewed

@@ -14,19 +14,19 @@
  */
 'use strict';
-const { patchType } = require('../../common');
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
-const {
-  excludeExtensionDotFromTags
-} = require('./common');
+const { patchType } = require('../../common');
+const { excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -43,12 +43,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const pathStr = args[0];

package/lib/dataflow/propagation/install/path/extname.test.js CHANGED Viewed

@@ -36,14 +36,14 @@ describe('assess dataflow propagation path extname', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const myPath = trackString('/path/to/file.txt');
           const result = path.extname(myPath);
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/format.js CHANGED Viewed

@@ -14,20 +14,19 @@
  */
 'use strict';
-const { ArrayPrototypeJoin, isString } = require('@contrast/common');
-const { patchType } = require('../../common');
+const { primordials: { ArrayPrototypeJoin }, isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
-const {
-  createArgTagsInResult,
-  excludeExtensionDotFromTags
-} = require('./common');
+const { patchType } = require('../../common');
+const { createArgTagsInResult, excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -44,12 +43,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name: patchName, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const pathProps = [];
               const { dir, root, base, name, ext } = args[0];

package/lib/dataflow/propagation/install/path/format.test.js CHANGED Viewed

@@ -39,7 +39,7 @@ describe('assess dataflow propagation path format', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const dir = trackString('/path/to');
@@ -49,7 +49,7 @@ describe('assess dataflow propagation path format', function () {
           });
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/join-and-resolve.js CHANGED Viewed

@@ -14,20 +14,19 @@
  */
 'use strict';
-const { isString, ArrayPrototypeJoin } = require('@contrast/common');
+const { isString, primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createMergedTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
-const {
-  createArgTagsInResult,
-  excludeExtensionDotFromTags,
-} = require('./common');
+const { createArgTagsInResult, excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -46,12 +45,8 @@ module.exports = function(core) {
               patchType,
               post(data) {
                 const { args: origArgs, result, hooked, orig } = data;
-                if (
-                  !result ||
-                  !sources.getStore()?.assess ||
-                  instrumentation.isLocked()
-                )
-                  return;
+                if (!result || !getSourceContext(PROPAGATOR)) return;
                 const pathSegments = [...origArgs].reverse();
                 const args = [];