npm - @contrast/assess - Versions diffs - 1.35.0 → 1.37.0 - Mend

@contrast/assess 1.35.0 → 1.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/lib/dataflow/propagation/install/joi/boolean.js CHANGED Viewed

@@ -23,9 +23,9 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     depHooks,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
@@ -40,70 +40,68 @@ module.exports = function(core) {
    */
   function instrumentJoiBoolean(boolean) {
     const def = Object.getPrototypeOf(boolean)?._definition;
-    def &&
-      patcher.patch(def.coerce, 'method', {
-        name: 'joi.boolean.coerce',
-        patchType,
-        post(data) {
-          if (
-            !data.result?.value ||
-            typeof data.result.value !== 'boolean' ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
-          )
-            return;
+    if (!def?.coerce) return;
-          const argInfo = tracker.getData(data.args[0]);
+    patcher.patch(def.coerce, 'method', {
+      name: 'joi.boolean.coerce',
+      patchType,
+      post(data) {
+        if (
+          !data.result?.value ||
+          typeof data.result.value !== 'boolean' ||
+          !getSourceContext()
+        ) return;
-          if (!argInfo) return;
+        const argInfo = tracker.getData(data.args[0]);
+        if (!argInfo) return;
-          const event = createPropagationEvent({
-            name: 'Joi.boolean.coerce',
-            moduleName: 'joi',
-            methodName: 'boolean.coerce',
-            history: [{ ...argInfo }],
-            object: {
+        const event = createPropagationEvent({
+          name: 'Joi.boolean.coerce',
+          moduleName: 'joi',
+          methodName: 'boolean.coerce',
+          history: [{ ...argInfo }],
+          object: {
+            tracked: false,
+            value: 'Joi.boolean',
+          },
+          args: [
+            { tracked: true, value: argInfo.value },
+            {
               tracked: false,
-              value: 'Joi.boolean',
-            },
-            args: [
-              { tracked: true, value: argInfo.value },
-              {
-                tracked: false,
-                value: {
-                  ...inspect(data.args[1]),
-                  original: argInfo.value,
-                },
+              value: {
+                ...inspect(data.args[1]),
+                original: argInfo.value,
               },
-            ],
-            result: {
-              tracked: false,
-              value: data.result,
-            },
-            source: 'P0',
-            tags: {
-              ...argInfo.tags,
-              [ALPHANUM_SPACE_HYPHEN]: [0, argInfo.value.length - 1],
-            },
-            target: 'P0',
-            stacktraceOpts: {
-              prependFrames: [data.orig],
             },
-          });
+          ],
+          result: {
+            tracked: false,
+            value: data.result,
+          },
+          source: 'P0',
+          tags: {
+            ...argInfo.tags,
+            [ALPHANUM_SPACE_HYPHEN]: [0, argInfo.value.length - 1],
+          },
+          target: 'P0',
+          stacktraceOpts: {
+            prependFrames: [data.orig],
+          },
+        });
-          if (event) {
-            Object.assign(argInfo, event);
-          }
-        },
-      });
+        if (event) {
+          Object.assign(argInfo, event);
+        }
+      },
+    });
   }
-  return (core.assess.dataflow.propagation.joiInstrumentation.booleanCoerce = {
+  return core.assess.dataflow.propagation.joiInstrumentation.booleanCoerce = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/types/boolean.js', version: '>=17.0.0' },
         instrumentJoiBoolean
       );
     },
-  });
+  };
 };

package/lib/dataflow/propagation/install/joi/expression.js CHANGED Viewed

@@ -15,17 +15,15 @@
 'use strict';
-const {
-  DataflowTag: { HTML_ENCODED },
-} = require('@contrast/common');
+const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     depHooks,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
@@ -41,12 +39,7 @@ module.exports = function(core) {
       name: `joi.${method}`,
       patchType,
       post(data) {
-        if (
-          !data.result ||
-          !sources.getStore()?.assess ||
-          instrumentation.isLocked()
-        )
-          return;
+        if (!data.result || !getSourceContext()) return;
         const argInfo = tracker.getData(data.args[0]);

package/lib/dataflow/propagation/install/joi/index.js CHANGED Viewed

@@ -27,137 +27,134 @@ const { tagCustomValidatedString, handleReferences } = require('./utils');
 module.exports = function(core) {
   const {
     patcher,
-    scopes: { sources, instrumentation },
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
     },
   } = core;
-  const joiInstrumentation =
-    (core.assess.dataflow.propagation.joiInstrumentation = {
-      install() {
-        callChildComponentMethodsSync(joiInstrumentation, 'install');
-      },
-      uninstall() {
-        callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
-      },
-      patchValidateAsync(parentObj, parentObjType) {
-        patcher.patch(parentObj, 'validateAsync', {
-          name: `Joi.${parentObjType}.validateAsync`,
-          patchType,
-          post(data) {
-            const childNodes = data.obj?.$_terms.items?.length
-              ? data.obj.$_terms.items
-              : data.obj?.$_terms.keys?.length
-                ? data.obj.$_terms.keys
-                : null;
+  const joiInstrumentation = core.assess.dataflow.propagation.joiInstrumentation = {
+    install() {
+      callChildComponentMethodsSync(joiInstrumentation, 'install');
+    },
+    uninstall() {
+      callChildComponentMethodsSync(joiInstrumentation, 'uninstall');
+    },
+    patchValidateAsync(parentObj, parentObjType) {
+      patcher.patch(parentObj, 'validateAsync', {
+        name: `Joi.${parentObjType}.validateAsync`,
+        patchType,
+        post(data) {
+          const childNodes = data.obj?.$_terms.items?.length
+            ? data.obj.$_terms.items
+            : data.obj?.$_terms.keys?.length
+              ? data.obj.$_terms.keys
+              : null;
-            if (
-              (!childNodes && !data.obj?.$_terms?.externals?.length) ||
+          if (
+            (!childNodes && !data.obj?.$_terms?.externals?.length) ||
               (childNodes &&
-                !childNodes.find((i) => {
-                  const schema = i?.schema || i;
-                  return schema.$_terms?.externals?.length;
-                })) ||
+               !childNodes.find((i) => {
+                 const schema = i?.schema || i;
+                 return schema.$_terms?.externals?.length;
+               })) ||
               !core.config.assess.trust_custom_validators ||
-              !sources.getStore()?.assess ||
-              instrumentation.isLocked()
-            )
-              return;
+              !getSourceContext()
+          )
+            return;
-            data.result.then((result) => {
-              const metadata = {
-                origFn: data.orig,
-                methodName: parentObjType,
-                target: 'R',
-              };
+          data.result.then((result) => {
+            const metadata = {
+              origFn: data.orig,
+              methodName: parentObjType,
+              target: 'R',
+            };
-              if (isString(result)) {
+            if (isString(result)) {
+              tagCustomValidatedString(
+                createPropagationEvent,
+                tracker.getData(result),
+                metadata
+              );
+            } else if (isNonEmptyObject(result)) {
+              traverseValues(result, (_path, _key, value) => {
                 tagCustomValidatedString(
                   createPropagationEvent,
-                  tracker.getData(result),
+                  tracker.getData(value),
                   metadata
                 );
-              } else if (isNonEmptyObject(result)) {
-                traverseValues(result, (_path, _key, value) => {
-                  tagCustomValidatedString(
-                    createPropagationEvent,
-                    tracker.getData(value),
-                    metadata
-                  );
-                });
-              }
-            })
-              .catch(err => err);
-          },
-        });
-      },
-      patchCustomValidate(parentObj, objName) {
-        patcher.patch(parentObj.rules.custom, 'validate', {
-          name: `joi.${objName}.custom.valdiate`,
-          patchType,
-          post(data) {
-            const {
-              args: [input, schema],
-              result,
-              orig,
-            } = data;
+              });
+            }
+          })
+            .catch(err => err);
+        },
+      });
+    },
+    patchCustomValidate(parentObj, objName) {
+      patcher.patch(parentObj.rules.custom, 'validate', {
+        name: `joi.${objName}.custom.valdiate`,
+        patchType,
+        post(data) {
+          const {
+            args: [input, schema],
+            result,
+            orig,
+          } = data;
-            if (
-              !result ||
+          if (
+            !result ||
               !input ||
               (result.value === input &&
-                (result.messages?.source || result.local?.error)) ||
+               (result.messages?.source || result.local?.error)) ||
               !core.config.assess.trust_custom_validators ||
-              !sources.getStore()?.assess ||
-              instrumentation.isLocked()
-            )
-              return;
+              !getSourceContext()
+          )
+            return;
-            const inspectedSecondArg = inspect(schema);
-            const metadata = {
-              origFn: orig,
-              inspectedSecondArg,
-              methodName: `${objName}.custom.validate`,
-              target: 'R',
-            };
-            const validation = (trackingInfo) => {
+          const inspectedSecondArg = inspect(schema);
+          const metadata = {
+            origFn: orig,
+            inspectedSecondArg,
+            methodName: `${objName}.custom.validate`,
+            target: 'R',
+          };
+          const validation = (trackingInfo) => {
+            tagCustomValidatedString(
+              createPropagationEvent,
+              trackingInfo,
+              metadata
+            );
+          };
+          handleReferences(tracker, schema, validation);
+          if (isString(result)) {
+            validation(tracker.getData(result));
+            input === result &&
               tagCustomValidatedString(
                 createPropagationEvent,
-                trackingInfo,
-                metadata
+                tracker.getData(input),
+                { ...metadata, target: 'P0' }
               );
-            };
+          } else if (isNonEmptyObject(result)) {
+            traverseValues(result, (path, _key, value) => {
+              const argValue = path.reduce((obj, k) => obj[k] || obj, input);
-            handleReferences(tracker, schema, validation);
-            if (isString(result)) {
               validation(tracker.getData(result));
-              input === result &&
+              argValue === value &&
                 tagCustomValidatedString(
                   createPropagationEvent,
-                  tracker.getData(input),
+                  tracker.getData(argValue),
                   { ...metadata, target: 'P0' }
                 );
-            } else if (isNonEmptyObject(result)) {
-              traverseValues(result, (path, _key, value) => {
-                const argValue = path.reduce((obj, k) => obj[k] || obj, input);
-                validation(tracker.getData(result));
-                argValue === value &&
-                  tagCustomValidatedString(
-                    createPropagationEvent,
-                    tracker.getData(argValue),
-                    { ...metadata, target: 'P0' }
-                  );
-              });
-            }
-          },
-        });
-      },
-    });
+            });
+          }
+        },
+      });
+    }
+  };
   require('./any')(core);
   require('./expression')(core);

package/lib/dataflow/propagation/install/joi/keys.js CHANGED Viewed

@@ -17,7 +17,10 @@
 const {
   isNonEmptyObject,
-  ArrayPrototypeJoin,
+  primordials: {
+    ArrayPrototypeJoin,
+    ArrayPrototypeSlice
+  }
 } = require('@contrast/common');
 const { patchType } = require('../../common');
@@ -25,6 +28,7 @@ module.exports = function(core) {
   const {
     depHooks,
     patcher,
+    assess: { getSourceContext }
   } = core;
   function addMetadata(schema, refTargetPath, refPath, isInReference) {
@@ -43,9 +47,9 @@ module.exports = function(core) {
     let path = ArrayPrototypeJoin.call(refTargetPath, '.');
     if (isInReference) {
-      path = ArrayPrototypeJoin.call(refTargetPath.slice(0, -1), '.');
+      path = ArrayPrototypeJoin.call(ArrayPrototypeSlice.call(refTargetPath, 0, -1), '.');
       schema.__CONTRAST__.inReferenceTargets.add(path);
-      refPath = refPath.slice(0, -1);
+      refPath = ArrayPrototypeSlice.call(refPath, 0, -1);
     }
     const refs = schema.__CONTRAST__.refTargets[path] || [];
@@ -119,7 +123,7 @@ module.exports = function(core) {
     }
   }
-  return (core.assess.dataflow.propagation.joiInstrumentation.keys = {
+  return core.assess.dataflow.propagation.joiInstrumentation.keys = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' },
@@ -131,11 +135,12 @@ module.exports = function(core) {
               const [value] = data.args;
               const joi = data.obj.$_root;
+              if (!getSourceContext()) return;
               traverseSchemas(joi, value, value);
             },
           });
         }
       );
     },
-  });
+  };
 };

package/lib/dataflow/propagation/install/joi/number.js CHANGED Viewed

@@ -23,9 +23,9 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     depHooks,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker },
@@ -38,70 +38,68 @@ module.exports = function(core) {
    */
   function instrumentJoiNumber(number) {
     const def = Object.getPrototypeOf(number)?._definition;
-    def &&
-      patcher.patch(def.coerce, 'method', {
-        name: 'joi.number.coerce',
-        patchType,
-        post(data) {
-          if (
-            !data.result?.value ||
-            data.result.errors ||
-            !sources.getStore()?.assess ||
-            instrumentation.isLocked()
-          )
-            return;
+    if (!def?.coerce) return;
-          const argInfo = tracker.getData(data.args[0]);
+    patcher.patch(def.coerce, 'method', {
+      name: 'joi.number.coerce',
+      patchType,
+      post(data) {
+        if (
+          !data.result?.value ||
+          data.result.errors ||
+          !getSourceContext()
+        ) return;
-          if (!argInfo) return;
+        const argInfo = tracker.getData(data.args[0]);
+        if (!argInfo) return;
-          const event = createPropagationEvent({
-            name: 'Joi.number.coerce',
-            moduleName: 'joi',
-            methodName: 'number.coerce',
-            history: [{ ...argInfo }],
-            object: {
+        const event = createPropagationEvent({
+          name: 'Joi.number.coerce',
+          moduleName: 'joi',
+          methodName: 'number.coerce',
+          history: [{ ...argInfo }],
+          object: {
+            tracked: false,
+            value: 'Joi.number',
+          },
+          args: [
+            { tracked: true, value: argInfo.value },
+            {
               tracked: false,
-              value: 'Joi.number',
-            },
-            args: [
-              { tracked: true, value: argInfo.value },
-              {
-                tracked: false,
-                value: {
-                  ...inspect(data.args[1]),
-                  original: argInfo.value,
-                },
+              value: {
+                ...inspect(data.args[1]),
+                original: argInfo.value,
               },
-            ],
-            result: {
-              tracked: false,
-              value: data.result,
-            },
-            source: 'P0',
-            tags: {
-              ...argInfo.tags,
-              [LIMITED_CHARS]: [0, argInfo.value.length - 1],
-            },
-            target: 'P0',
-            stacktraceOpts: {
-              prependFrames: [data.orig],
             },
-          });
+          ],
+          result: {
+            tracked: false,
+            value: data.result,
+          },
+          source: 'P0',
+          tags: {
+            ...argInfo.tags,
+            [LIMITED_CHARS]: [0, argInfo.value.length - 1],
+          },
+          target: 'P0',
+          stacktraceOpts: {
+            prependFrames: [data.orig],
+          },
+        });
-          if (event) {
-            Object.assign(argInfo, event);
-          }
-        },
-      });
+        if (event) {
+          Object.assign(argInfo, event);
+        }
+      },
+    });
   }
-  return (core.assess.dataflow.propagation.joiInstrumentation.numberCoerce = {
+  return core.assess.dataflow.propagation.joiInstrumentation.numberCoerce = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/types/number.js', version: '>=17.0.0' },
         instrumentJoiNumber
       );
     },
-  });
+  };
 };

package/lib/dataflow/propagation/install/joi/string-schema.js CHANGED Viewed

@@ -39,17 +39,16 @@ const VALIDATORS = {
 module.exports = function(core) {
   const {
     depHooks,
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: {
         tracker, propagation: {
           joiInstrumentation
         }
-      },
+      }
     },
   } = core;
@@ -113,10 +112,8 @@ module.exports = function(core) {
           !input ||
           (validatorName !== 'validate' && typeof data.result !== 'string') ||
           (validatorName === 'validate' && data.result) ||
-          !sources.getStore()?.assess ||
-          instrumentation.isLocked()
-        )
-          return;
+          !getSourceContext()
+        ) return;
         const inspectedSchema = inspect(schema);
         const validation = definePropagation(
@@ -147,10 +144,8 @@ module.exports = function(core) {
           !args[0] ||
           // currently, we are losing track of coerced isoDate only
           !args[1].schema.$_getRule('isoDate') ||
-          !sources.getStore()?.assess ||
-          instrumentation.isLocked()
-        )
-          return;
+          !getSourceContext()
+        ) return;
         const argInfo = tracker.getData(args[0]);
@@ -194,7 +189,7 @@ module.exports = function(core) {
     });
   }
-  return (joiInstrumentation.stringSchema = {
+  return joiInstrumentation.stringSchema = {
     install() {
       depHooks.resolve(
         { name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' },
@@ -229,6 +224,6 @@ module.exports = function(core) {
           }
         }
       );
-    },
-  });
+    }
+  };
 };

package/lib/dataflow/propagation/install/joi/utils.js CHANGED Viewed

@@ -16,8 +16,11 @@
 'use strict';
 const {
-  StringPrototypeSplit,
-  ArrayPrototypeJoin,
+  primordials: {
+    StringPrototypeSplit,
+    ArrayPrototypeJoin,
+    ArrayPrototypeSlice,
+  },
   DataflowTag: { CUSTOM_VALIDATED }
 } = require('@contrast/common');
@@ -75,10 +78,10 @@ function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
 function handleReferences(tracker, schema, validationFn) {
   const contrastData = schema?.schema?.__CONTRAST__;
   let refTargetPath = contrastData && ArrayPrototypeJoin.call(schema.state.path, '.');
-  const inReferenceTargetPath = contrastData && ArrayPrototypeJoin.call(schema.state.path.slice(0, -1), '.');
+  const inReferenceTargetPath = contrastData && ArrayPrototypeJoin.call(ArrayPrototypeSlice.call(schema.state.path, 0, -1), '.');
   if (contrastData?.inReferenceTargets.has(inReferenceTargetPath)) {
     refTargetPath = ArrayPrototypeJoin.call(
-      schema.state.path.slice(0, -1),
+      ArrayPrototypeSlice.call(schema.state.path, 0, -1),
       '.'
     );
   }