npm - @contrast/assess - Versions diffs - 1.34.0 → 1.36.0 - Mend

@contrast/assess 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/lib/dataflow/propagation/install/path/join-and-resolve.test.js CHANGED Viewed

@@ -45,7 +45,7 @@ describe('assess dataflow propagation path', function () {
             });
           });
-          it('will not propagate if there is no assess context', function () {
+          it('will not propagate if there is no assess policy in request context', function () {
             simulateRequestScope(function () {
               const seg1 = trackString('/path');
               const seg2 = trackString('/to');
@@ -54,7 +54,7 @@ describe('assess dataflow propagation path', function () {
               const result = path[method](seg1, seg2, seg3);
               expect(tracker.getData(result)).to.be.null;
-            }, {});
+            }, { assess: { policy: null } });
           });
           it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/normalize.js CHANGED Viewed

@@ -15,18 +15,16 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
-const {
-  createArgTagsInResult,
-  excludeExtensionDotFromTags,
-} = require('./common');
+const { createArgTagsInResult, excludeExtensionDotFromTags, } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -43,12 +41,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const pathStr = args[0];

package/lib/dataflow/propagation/install/path/normalize.test.js CHANGED Viewed

@@ -42,14 +42,14 @@ describe('assess dataflow propagation path normalize', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const myPath = trackString('/path');
           const result = path.normalize(myPath);
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/parse.js CHANGED Viewed

@@ -15,6 +15,7 @@
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 const { excludeExtensionDotFromTags } = require('./common');
@@ -23,8 +24,8 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
@@ -42,15 +43,9 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name: patchName, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const [path] = args;
               if (!path || !isString(path)) return;
               const strInfo = tracker.getData(path);

package/lib/dataflow/propagation/install/path/parse.test.js CHANGED Viewed

@@ -40,7 +40,7 @@ describe('assess dataflow propagation path parse', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const str = trackString('/path/to/file.txt');
           const result = path.parse(str);
@@ -48,7 +48,7 @@ describe('assess dataflow propagation path parse', function () {
             const valInfo = tracker.getData(result[key]);
             expect(valInfo).to.be.null;
           });
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/relative.js CHANGED Viewed

@@ -14,19 +14,18 @@
  */
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
-const {
-  createArgTagsInResult,
-  excludeExtensionDotFromTags,
-} = require('./common');
+const { createArgTagsInResult, excludeExtensionDotFromTags, } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -43,12 +42,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const [fromStr, toStr] = args;

package/lib/dataflow/propagation/install/path/relative.test.js CHANGED Viewed

@@ -41,14 +41,14 @@ describe('assess dataflow propagation path relative', function () {
         });
       });
-      it('will not propagate if there is no assess context', function () {
+      it('will not propagate if there is no assess policy in request context', function () {
         simulateRequestScope(function () {
           const myPath = trackString('/path');
           const result = path.relative('/to', myPath);
           expect(tracker.getData(result)).to.be.null;
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/path/toNamespacedPath.js CHANGED Viewed

@@ -14,19 +14,18 @@
  */
 'use strict';
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
-const {
-  createArgTagsInResult,
-  excludeExtensionDotFromTags
-} = require('./common');
+const { createArgTagsInResult, excludeExtensionDotFromTags } = require('./common');
 module.exports = function(core) {
   const {
     depHooks,
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -42,12 +41,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, name, hooked, orig } = data;
-              if (
-                !result ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+              if (!result || !getSourceContext(PROPAGATOR)) return;
               const pathStr = args[0];

package/lib/dataflow/propagation/install/path/toNamespacedPath.test.js CHANGED Viewed

@@ -35,14 +35,14 @@ describe('assess dataflow propagation path toNamespacedPath', function () {
       });
     });
-    it('will not propagate if there is no assess context', function () {
+    it('will not propagate if there is no assess policy in request context', function () {
       simulateRequestScope(function () {
         const myPath = trackString('C:\\path\\to\\file.txt');
         const result = path.toNamespacedPath(myPath);
         expect(tracker.getData(result)).to.be.null;
-      }, {});
+      }, { assess: { policy: null } });
     });
     it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/pug/index.js CHANGED Viewed

@@ -14,6 +14,7 @@
  */
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 /** @type {import('@contrast/rewriter').RewriteOpts} */
@@ -22,8 +23,12 @@ const REWRITE_OPTS = { isModule: false, inject: false, wrap: false };
 module.exports = function (core) {
   const store = { lock: true, name: 'assess:propagators:pug-compile' };
   const {
-    scopes: { sources, instrumentation },
-    patcher, logger, rewriter, depHooks,
+    patcher,
+    logger,
+    rewriter,
+    depHooks,
+    scopes: { instrumentation },
+    assess: { getSourceContext },
   } = core;
   const pugInstrumentation = {
@@ -34,7 +39,7 @@ module.exports = function (core) {
           name: 'pug.compile',
           patchType,
           pre(data) {
-            if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!getSourceContext(PROPAGATOR)) return;
             const opts = data.args[1] || {};
             const plugins = opts.plugins || [];

package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED Viewed

@@ -15,20 +15,17 @@
 'use strict';
-const {
-  DataflowTag: { WEAK_URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createModuleLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -44,7 +41,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/pug-runtime-escape.test.js CHANGED Viewed

@@ -54,7 +54,7 @@ describe('assess dataflow propagation pugRuntime.escape', function () {
       const value = trackString('foo');
       const result = mockPugRuntime.escape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/querystring/escape.js CHANGED Viewed

@@ -15,19 +15,20 @@
 'use strict';
 const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },
     depHooks,
     patcher,
-    scopes,
   } = core;
   return core.assess.dataflow.propagation.querystringInstrumentation.escape = {
@@ -43,8 +44,7 @@ module.exports = function(core) {
             const strInfo = tracker.getData(value);
             if (!strInfo) return;
-            const sourceContext = scopes.sources.getStore()?.assess;
-            if (!sourceContext) return;
+            if (!getSourceContext(PROPAGATOR)) return;
             let tags;
             if (value !== data.result) {

package/lib/dataflow/propagation/install/querystring/parse.js CHANGED Viewed

@@ -18,17 +18,18 @@
 const querystring = require('querystring');
 const {
   DataflowTag: { URL_ENCODED },
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, createAppendTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -105,15 +106,10 @@ module.exports = function(core) {
             name: `querystring.${method}`,
             patchType,
             pre(data) {
-              if (!sources.getStore()?.assess || instrumentation.isLocked()) return;
-              const input = data.args[0];
-              if (!input) {
-                return;
-              }
-              const trackingData = tracker.getData(input);
-              if (!trackingData) {
-                return;
-              }
+              if (!data.args[0] || !getSourceContext(PROPAGATOR)) return;
+              const trackingData = tracker.getData(data.args[0]);
+              if (!trackingData) return;
               data.idx = 0;
               data.origArgs = [...data.args];

package/lib/dataflow/propagation/install/querystring/stringify.js CHANGED Viewed

@@ -16,6 +16,7 @@
 const querystring = require('querystring');
 const { isString } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const utils = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -24,21 +25,20 @@ const moduleName = 'querystring';
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       dataflow: { tracker },
       eventFactory: { createPropagationEvent },
     },
     depHooks,
     patcher,
-    scopes,
   } = core;
   /**
    * Adds custom encoding function to capture key/value tags and history during stringification
    */
   function pre(data) {
-    const sourceContext = scopes.sources.getStore()?.assess;
-    if (!sourceContext) return;
+    if (!getSourceContext(PROPAGATOR)) return;
     const [input] = data.args;
     const escape = typeof data.args[3]?.encodeURIComponent === 'function'

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED Viewed

@@ -14,14 +14,16 @@
  */
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../tag-utils');
 const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -83,8 +85,7 @@ module.exports = function(core) {
             !obj ||
             !args[0] ||
             !result?.length ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
+            !getSourceContext(PROPAGATOR)
           )
             return;

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.test.js CHANGED Viewed

@@ -104,11 +104,12 @@ describe('assess dataflow propagation RegExp exec', function () {
     it.skip('propagates strings when iteratively called', function() {
       simulateRequestScope(() => {
         const re = /^\/?$/i;
-        //                          0123456789*1234567
+        // eslint-disable-next-line
         const extern = trackString('');
         let ret;
         while ((ret = re.exec(''))) {
+          // eslint-disable-next-line
           const matchInfo = tracker.getData(ret[0]);
           // console.log(re.lastIndex, ret.index, ret.indices);
           re.lastIndex += 1;
@@ -153,6 +154,8 @@ describe('assess dataflow propagation RegExp exec', function () {
     it('does not propagate if we exeeded the maximum propagation count for a group', function () {
       simulateRequestScope(() => {
+        core.scopes.sources.getStore().assess.propagationEventsCount = 498;
         const re = /foo(?<bar>bar)/;
         const extern = trackString('foobar');
@@ -173,7 +176,7 @@ describe('assess dataflow propagation RegExp exec', function () {
           [UNTRUSTED]: [0, 2]
         });
         expect(barGroupInfo).to.be.null;
-      }, { assess: { propagationEventsCount: 498 } });
+      });
     });
@@ -251,7 +254,6 @@ describe('assess dataflow propagation RegExp exec', function () {
         const blackInfo = tracker.getData(ret[3]);
         const colorGroupInfo = tracker.getData(ret.groups.color);
         expect(ret).to.deep.equal([
           'Quick Brown Fox Jumps Over The Lazy Black',
           'Brown',

package/lib/dataflow/propagation/install/send.js CHANGED Viewed

@@ -15,13 +15,13 @@
 'use strict';
 const { patchType } = require('../common');
-const { StringPrototypeSlice } = require('@contrast/common');
+const { primordials: { StringPrototypeSlice } } = require('@contrast/common');
 module.exports = function (core) {
   const {
-    scopes: { sources, instrumentation },
     depHooks,
-    patcher
+    patcher,
+    assess: { getSourceContext }
   } = core;
   const send = {};
@@ -37,10 +37,7 @@ module.exports = function (core) {
           patchType,
           pre(data) {
             const { args } = data;
-            if (!sources.getStore()?.assess || instrumentation.isLocked()) {
-              return;
-            }
+            if (!getSourceContext()) return;
             const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
             args[0] = untrackedPath;
@@ -51,9 +48,7 @@ module.exports = function (core) {
   }
   send.install = function () {
-    depHooks.resolve({ name: 'send' }, (sendModule) =>
-      patchSendModule(sendModule)
-    );
+    depHooks.resolve({ name: 'send' }, patchSendModule);
   };
   return send;

package/lib/dataflow/propagation/install/sequelize/query-generator.js CHANGED Viewed

@@ -14,9 +14,7 @@
  */
 'use strict';
-const {
-  DataflowTag: { SQL_ENCODED }
-} = require('@contrast/common');
+const { DataflowTag: { SQL_ENCODED } } = require('@contrast/common');
 const { patchType } = require('../../common');
 const DIALECTS = [
@@ -33,6 +31,7 @@ const DIALECTS = [
 module.exports = function(core) {
   const {
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     },
@@ -53,7 +52,7 @@ module.exports = function(core) {
               patchType,
               post(data) {
                 const strInfo = tracker.getData(data.result);
-                if (!strInfo) return;
+                if (!strInfo || !getSourceContext()) return;
                 const { value } = strInfo;
                 const event = createPropagationEvent({

package/lib/dataflow/propagation/install/sequelize/sql-string.js CHANGED Viewed

@@ -17,16 +17,17 @@
 const {
   isString,
+  primordials: { StringPrototypeMatchAll },
   DataflowTag: { SQL_ENCODED },
 } = require('@contrast/common');
 const { patchType, createModuleLabel } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
@@ -45,7 +46,7 @@ module.exports = function(core) {
   function getFormatNamedParametersPositions(str) {
     const regex = /:(\w+)(?=[\s,;)]|$)/g;
-    const matches = str.matchAll(regex);
+    const matches = StringPrototypeMatchAll.call(str, regex);
     return Array.from(matches, (match) => ({ [match[1]]: match.index }));
   }
@@ -68,8 +69,7 @@ module.exports = function(core) {
                 !result ||
                 !args[0] ||
                 !isString(args[0]) ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
+                !getSourceContext()
               ) return;
               const argInfo = tracker.getData(args[0]);
@@ -123,10 +123,8 @@ module.exports = function(core) {
                 !result ||
                 !args[0] ||
                 !isString(args[0]) ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+                !getSourceContext()
+              ) return;
               const resultInfo = tracker.getData(result);
               if (!resultInfo) {
@@ -217,10 +215,8 @@ module.exports = function(core) {
                 !result ||
                 !args[0] ||
                 !isString(args[0]) ||
-                !sources.getStore()?.assess ||
-                instrumentation.isLocked()
-              )
-                return;
+                !getSourceContext()
+              ) return;
               const resultInfo = tracker.getData(result);
               if (!resultInfo) {

package/lib/dataflow/propagation/install/sequelize/sql-string.test.js CHANGED Viewed

@@ -40,7 +40,6 @@ describe('assess dataflow propagation sequelize sql-string', function () {
     core.depHooks.resolve.yield(mockSequelizeSqlString);
   });
   afterEach(function () {
     core.assess.dataflow.propagation.stringInstrumentation.uninstall();
     sinon.resetHistory();
@@ -96,7 +95,6 @@ describe('assess dataflow propagation sequelize sql-string', function () {
     describe(method, function () {
       it('sanitizes correctly', function () {
         simulateRequestScope(function () {
           const notTrackedResult = mockSequelizeSqlString[method](...notTrackedArgs);
           const notTrackedStrInfo = tracker.getData(notTrackedResult);
@@ -109,20 +107,11 @@ describe('assess dataflow propagation sequelize sql-string', function () {
       });
       if (!onlySanitizeCheck) {
-        it('will not sanitize if there is no assess context', function () {
+        it('will not sanitize if there is no assess policy in request context', function () {
           simulateRequestScope(function () {
             const result = mockSequelizeSqlString[method](...args.map(a => a()));
             expect(tracker.getData(result)).to.be.null;
-          }, {});
-        });
-        it('will not sanitize if there instrumentation is locked', function () {
-          simulateRequestScope(function () {
-            core.scopes.instrumentation.run({ lock: true }, function () {
-              const result = mockSequelizeSqlString[method](...args.map(a => a()));
-              expect(tracker.getData(result)?.tags || {}).to.not.haveOwnProperty(SQL_ENCODED);
-            });
-          });
+          }, { assess: { policy: null } });
         });
       }
     });