npm - @contrast/assess - Versions diffs - 1.34.0 → 1.36.0 - Mend

@contrast/assess 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/lib/dataflow/propagation/install/unescape.js CHANGED Viewed

@@ -15,19 +15,16 @@
 'use strict';
-const {
-  DataflowTag: { WEAK_URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createObjectLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +39,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
-          if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
           const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/unescape.test.js CHANGED Viewed

@@ -58,12 +58,12 @@ describe('assess dataflow propagation unescape', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('%3Ftest%3Dstr');
       const result = unescape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED Viewed

@@ -15,17 +15,16 @@
 'use strict';
-const {
-  createFullLengthCopyTags
-} = require('../../../tag-utils');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType, createModuleLabel } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +41,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, hooked, orig } = data;
-              if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+              if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
               const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/url/domain-parsers.test.js CHANGED Viewed

@@ -43,12 +43,12 @@ describe('assess dataflow propagation url domain-parsers', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess store in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = url.domainToASCII(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/parse.js CHANGED Viewed

@@ -15,14 +15,15 @@
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
@@ -88,7 +89,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [url, parseQueryString] = args;
             const argInfo = tracker.getData(url);

package/lib/dataflow/propagation/install/url/parse.test.js CHANGED Viewed

@@ -67,14 +67,14 @@ describe('assess dataflow propagation url.parse', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.parse('http://'.concat(value, ':3000/path'));
       keys.forEach((key) => {
         expect(tracker.getData(result[key])).to.be.null;
       });
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/searchParams.js CHANGED Viewed

@@ -15,17 +15,18 @@
 'use strict';
-const { patchType } = require('../../common');
-const { isString, StringPrototypeConcat, StringPrototypeReplaceAll } = require('@contrast/common');
+const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
       inspect, // todo: remove
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -60,7 +61,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.urlInstrumentation.searchParams = {
     install() {
       depHooks.resolve({ name: 'url' }, (url) => {
         const name = 'url.URLSearchParams';
         patcher.patch(url, 'URLSearchParams', {
@@ -68,7 +68,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, obj, result } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [params] = args;

package/lib/dataflow/propagation/install/url/searchParams.test.js CHANGED Viewed

@@ -40,14 +40,14 @@ describe('assess dataflow propagation url.URLSearchParams', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.URLSearchParams('?query='.concat(value));
       const input = result.get('query');
       expect(input).to.be.equal('foo');
       expect(tracker.getData(input)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/url.js CHANGED Viewed

@@ -15,14 +15,17 @@
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
+const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
@@ -91,7 +94,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [input, basename] = args;
             let url = input;
@@ -143,7 +146,7 @@ module.exports = function(core) {
                   if (part !== 'null') {
                     if (key === 'origin') {
-                      const [protocol, originWithoutProtocol] = part.split(new RegExp('(?<=//)'));
+                      const [protocol, originWithoutProtocol] = StringPrototypeSplit.call(part, new RegExp('(?<=//)'));
                       const idx1 = href.indexOf(protocol);
                       const idx2 = href.indexOf(originWithoutProtocol, idx - 1);
                       substr = href.substring(idx1, idx1 + protocol.length).concat(href.substring(idx2, idx2 + originWithoutProtocol.length));

package/lib/dataflow/propagation/install/url/url.test.js CHANGED Viewed

@@ -67,14 +67,14 @@ describe('assess dataflow propagation url.URL', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.URL('http://'.concat(value, ':3000/path'));
       keys.forEach((key) => {
         expect(tracker.getData(result[key])).to.be.null;
       });
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -15,16 +15,17 @@
 'use strict';
-const { patchType } = require('../common');
-const { isString } = require('@contrast/common');
+const { isString, primordials: { StringPrototypeMatch, StringPrototypeToLowerCase } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
+const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -40,13 +41,13 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !isString(args[0]) || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !isString(args[0]) || !getSourceContext(PROPAGATOR)) return;
             let idx = 0;
             let newTags = {};
             const history = [];
             const eventArgs = [];
-            const formatChars = args[0].includes('%') ? args[0].match(/[^%]+/g).map((x) => x[0]) : [];
+            const formatChars = args[0].includes('%') ? StringPrototypeMatch.call(args[0], /[^%]+/g).map((x) => x[0]) : [];
             let i = 0;
             if (formatChars.length > 0) {
@@ -61,7 +62,7 @@ module.exports = function(core) {
                 if (formatChar === 'j') {
                   arg = JSON.stringify(arg);
-                } else if (formatChar.toLowerCase() === 'o') {
+                } else if (StringPrototypeToLowerCase.call(formatChar) === 'o') {
                   // TO-DO: NODE-3235
                 }
               }

package/lib/dataflow/propagation/install/util-format.test.js CHANGED Viewed

@@ -25,12 +25,12 @@ describe('assess dataflow propagation util.format', function () {
     core.depHooks.resolve.yield(util);
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = util.format('%s:%s', value, 'bar');
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -26,6 +26,7 @@ module.exports = function (core) {
     depHooks,
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -73,7 +74,8 @@ module.exports = function (core) {
                 const matches = validator === 'matches';
                 if (
                   data.result &&
-                  (!matches || (matches && core.config.assess.trust_custom_validators))
+                  (!matches || (matches && core.config.assess.trust_custom_validators)) &&
+                  getSourceContext()
                 ) {
                   const trackingData = tracker.getData(data.args[0]);
                   if (trackingData) {
@@ -104,7 +106,7 @@ module.exports = function (core) {
             name: `validator.${untracker}`,
             patchType,
             post(data) {
-              if (data.result) {
+              if (data.result && getSourceContext()) {
                 const trackingData = tracker.getData(data.args[0]);
                 if (trackingData) {
                   tracker.untrack(data.args[0]);
@@ -121,6 +123,7 @@ module.exports = function (core) {
             name: `validator.${sanitizer}`,
             patchType,
             post(data) {
+              if (!getSourceContext()) return;
               const trackingData = tracker.getData(data.args[0]);
               if (trackingData) {
                 const newTags = {};
@@ -153,6 +156,8 @@ module.exports = function (core) {
             name: `validator.${method}`,
             patchType,
             post(data) {
+              if (!getSourceContext()) return;
               const options = data.args[1];
               const trackingData = tracker.getData(data.args[0]);

package/lib/dataflow/sinks/install/child-process.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const {
   DataflowTag: { UNTRUSTED },
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
   Rule: { CMD_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');

package/lib/dataflow/sinks/install/child-process.test.js CHANGED Viewed

@@ -6,7 +6,7 @@ const {
 const sinon = require('sinon');
 const { expect } = require('chai');
 const { initAssessFixture } = require('@contrast/test/fixtures');
-const { UtilInspect } = require('@contrast/common');
+const { primordials: { UtilInspect } } = require('@contrast/common');
 describe('assess dataflow sinks child_process', function () {
   let core, child_process, simulateRequestScope, trackString, tracker, reportFindings;

package/lib/dataflow/sinks/install/fs.js CHANGED Viewed

@@ -26,7 +26,7 @@ const {
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');

package/lib/dataflow/sinks/install/fs.test.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const sinon = require('sinon');
 const { expect } = require('chai');
-const { FS_METHODS, ArrayPrototypeJoin, UtilInspect } = require('@contrast/common');
+const { FS_METHODS, primordials: { ArrayPrototypeJoin, UtilInspect } } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow sinks path-traversal', function () {

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -17,7 +17,7 @@
 const {
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,

package/lib/dataflow/sinks/install/http/request.js CHANGED Viewed

@@ -27,6 +27,7 @@ const {
     LIMITED_CHARS
   },
   Rule: { SSRF: ruleId },
+  primordials: { RegExpPrototypeExec }
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
@@ -84,7 +85,7 @@ module.exports = function(core) {
   function containsTrustedLib(stack) {
     for (const { file } of stack) {
       for (const trusted of trustedLibs) {
-        if (trusted.exec(file)) {
+        if (RegExpPrototypeExec.call(trusted, file)) {
           return true;
         }
       }

package/lib/dataflow/sinks/install/http/request.test.js CHANGED Viewed

@@ -7,7 +7,7 @@ const {
     UNTRUSTED,
     LIMITED_CHARS
   },
-  UtilInspect
+  primordials: { UtilInspect }
 } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');

package/lib/dataflow/sinks/install/http/server-response.test.js CHANGED Viewed

@@ -73,17 +73,15 @@ describe('assess dataflow sinks http, http2, spdy', function () {
           });
           it('skips instrumentation if the content-type is safe', function () {
-            const store = {
-              assess: { responseData: { contentType: 'application/json' } },
-            };
             simulateRequestScope(function () {
+              core.scopes.sources.getStore().assess.responseData.contentType = 'application/json';
               const str = trackString('hello world');
               const { extern } = tracker.getData(str);
               response[method](extern);
               expect(reportFindings).to.not.have.been.called;
-            }, store);
+            });
           });
           it('skips instrumentation if the string is safe', function () {

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -26,7 +26,7 @@ const {
     URL_ENCODED,
   },
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -27,8 +27,10 @@ const {
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   isNonEmptyObject,
   isString,
-  ArrayPrototypeJoin,
-  StringPrototypeSplit,
+  primordials: {
+    ArrayPrototypeJoin,
+    StringPrototypeSplit,
+  },
   traverseValues,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');

package/lib/dataflow/sinks/install/vm.test.js CHANGED Viewed

@@ -5,7 +5,7 @@ const { expect } = require('chai');
 const {
   DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
   Rule: { UNSAFE_CODE_EXECUTION },
-  UtilInspect,
+  primordials: { UtilInspect },
 } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,7 +19,10 @@ const {
   InputType,
   DataflowTag,
   isString,
-  ArrayPrototypeJoin,
+  primordials: {
+    ArrayPrototypeJoin,
+    StringPrototypeToLowerCase
+  }
 } = require('@contrast/common');
 module.exports = function (core) {
@@ -55,7 +58,7 @@ module.exports = function (core) {
       }
     }
-    if (inputType === InputType.HEADER && fieldName.toLowerCase() === 'referer') {
+    if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
       tags[DataflowTag.HEADER] = [0, stop];
     }
@@ -63,7 +66,7 @@ module.exports = function (core) {
   };
   sources.createStacktrace = function (stacktraceOpts) {
-    return config.assess.stacktraces === 'NONE'
+    return config.assess.stacktraces === 'NONE' || config.assess.stacktraces === 'SINK'
       ? emptyStack
       : createSnapshot(stacktraceOpts)();
   };

package/lib/dataflow/sources/handler.test.js CHANGED Viewed

@@ -139,6 +139,44 @@ describe('assess dataflow sources handler', function () {
       });
     });
+    ['SINK', 'NONE'].forEach((option) => {
+      it(`does not capture stacktrace for assess.stacktraces=${option}`, function() {
+        simulateRequestScope(() => {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          core.config.assess.stacktraces = option;
+          const trackedObj = sources.handle({
+            name: 'test-source-name',
+            inputType: InputType.QUERYSTRING,
+            data: { prop1: 'foo' },
+            sourceContext
+          });
+          const trackData = tracker.getData(trackedObj.prop1);
+          expect(trackData.stack).to.deep.equal([]);
+        });
+      });
+    });
+    ['SOME', 'ALL'].forEach((option) => {
+      it(`captures stacktrace for assess.stacktraces=${option}`, function() {
+        simulateRequestScope(() => {
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          core.config.assess.stacktraces = option;
+          const trackedObj = sources.handle({
+            name: 'test-source-name',
+            inputType: InputType.QUERYSTRING,
+            data: { prop1: 'foo' },
+            sourceContext
+          });
+          const trackData = tracker.getData(trackedObj.prop1);
+          expect(trackData.stack).to.be.instanceOf(Array);
+          expect(trackData.stack.length).to.be.greaterThan(0);
+        });
+      });
+    });
     it('traverses objects and tracks string values', function () {
       simulateRequestScope(() => {
         const sourceContext = core.scopes.sources.getStore()?.assess;

package/lib/dataflow/sources/install/body-parser1.test.js CHANGED Viewed

@@ -105,7 +105,7 @@ describe('assess dataflow sources body-parser v1', function () {
       });
     });
-    it('does not handle the request when not in context', function () {
+    it('does not handle the request when there is no assess policy in request context', function () {
       const middleware = bodyParser('text');
       simulateRequestScope(() => {
@@ -116,7 +116,7 @@ describe('assess dataflow sources body-parser v1', function () {
           { funcKey: 'assess-dataflow-source:body-parser.bodyParser' },
           'unable to handle source. Missing `sourceContext`'
         );
-      }, {});
+      }, { assess: { policy: null } });
     });
     it('does not handle the request when already tracked', function () {
@@ -205,7 +205,7 @@ describe('assess dataflow sources body-parser v1', function () {
         });
       });
-      it('does not handle the request when not in context', function () {
+      it('does not handle the request when there is  in context', function () {
         simulateRequestScope(() => {
           middleware(req, res, next);
@@ -214,7 +214,7 @@ describe('assess dataflow sources body-parser v1', function () {
             { funcKey: `assess-dataflow-source:body-parser.${method}.${method}Parser` },
             'unable to handle source. Missing `sourceContext`',
           );
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('does not handle the request when already tracked', function () {

package/lib/dataflow/sources/install/busboy.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const inputType = InputType.MULTIPART_VALUE;
@@ -26,16 +27,20 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: {
+        sources,
+      }
+    },
   } = core;
   function createPreHook(finalEventName) {
     return function (data) {
       const { orig, hooked, funcKey } = data;
-      const sourceContext = core.scopes.sources.getStore()?.assess;
+      const sourceContext = getSourceContext(SOURCE);
       if (!sourceContext) {
-        logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
         return;
       }

package/lib/dataflow/sources/install/busboy.test.js CHANGED Viewed

@@ -110,12 +110,12 @@ describe('assess dataflow sources busboy', function () {
         );
       });
-      it('does not call `.handle` when not in context', function () {
+      it('does not call `.handle` when there is no assess policy in request context', function () {
         simulateRequestScope(() => {
           emitMethodVersions[version]('field', 'field1', 'value1');
           emitMethodVersions[version]('field', 'field2', 'value2');
           emitMethodVersions[version](finalEvent);
-        }, {});
+        }, { assess: { policy: null } });
         expect(sources.handle).not.to.have.been.called;
       });