npm - @contrast/assess - Versions diffs - 1.35.0 → 1.37.0 - Mend

@contrast/assess 1.35.0 → 1.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/lib/dataflow/propagation/install/string/slice.test.js CHANGED Viewed

@@ -6,6 +6,7 @@ const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow propagation string slice', function () {
   let core, tracker, trackString, simulateRequestScope;
+  const allPatcher = new Map();
   beforeEach(function () {
     ({
@@ -23,6 +24,18 @@ describe('assess dataflow propagation string slice', function () {
     sinon.resetHistory();
   });
+  // eslint-disable-next-line mocha/no-sibling-hooks
+  afterEach(function() {
+    core.Perf.fromAllToMap('patcher', allPatcher);
+  });
+  after(function() {
+    const stats = core.Perf.getStats(allPatcher);
+    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
+      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
+    }
+  });
   [
     {
       desc: 'not tracked',

package/lib/dataflow/propagation/install/string/split.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { ArrayPrototypeJoin } = require('@contrast/common');
+const { primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -37,6 +37,7 @@ module.exports = function(core) {
       patcher.patch(String.prototype, 'split', {
         name,
         patchType,
+        usePerf: true,
         post(data) {
           const { name, args: origArgs, obj, result, hooked, orig } = data;
           if (

package/lib/dataflow/propagation/install/string/split.test.js CHANGED Viewed

@@ -6,6 +6,7 @@ const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow propagation string split', function () {
   let core, simulateRequestScope, trackString, tracker;
+  const allPatcher = new Map();
   beforeEach(function () {
     ({
@@ -27,6 +28,18 @@ describe('assess dataflow propagation string split', function () {
     core.assess.dataflow.propagation.stringInstrumentation.split.uninstall();
   });
+  // eslint-disable-next-line mocha/no-sibling-hooks
+  afterEach(function() {
+    core.Perf.fromAllToMap('patcher', allPatcher);
+  });
+  after(function() {
+    const stats = core.Perf.getStats(allPatcher);
+    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
+      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
+    }
+  });
   describe('base cases', function () {
     it('normal split on non-tracked string', function () {
       simulateRequestScope(() => {

package/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { ArrayPrototypeJoin } = require('@contrast/common');
+const { primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
 const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -62,6 +62,7 @@ module.exports = function(core) {
         patcher.patch(String.prototype, method, {
           name: `String.prototype.${method}`,
           patchType,
+          usePerf: true,
           post(data) {
             const { obj, args: origArgs, result, name, hooked, orig } = data;
             if (!result || !getSourceContext(PROPAGATOR)) return;

package/lib/dataflow/propagation/install/string/substring.test.js CHANGED Viewed

@@ -6,6 +6,7 @@ const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow propagation string substring', function () {
   let core, tracker, trackString, simulateRequestScope;
+  const allPatcher = new Map();
   beforeEach(function () {
     ({
@@ -23,6 +24,18 @@ describe('assess dataflow propagation string substring', function () {
     sinon.resetHistory();
   });
+  // eslint-disable-next-line mocha/no-sibling-hooks
+  afterEach(function() {
+    core.Perf.fromAllToMap('patcher', allPatcher);
+  });
+  after(function() {
+    const stats = core.Perf.getStats(allPatcher);
+    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
+      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
+    }
+  });
   [
     {
       desc: 'below',

package/lib/dataflow/propagation/install/string/trim.js CHANGED Viewed

@@ -92,18 +92,21 @@ module.exports = function(core) {
         name: 'String.prototype.trim',
         patchType,
         post: createPostHook('trim'),
+        usePerf: true,
       });
       patcher.patch(String.prototype, 'trimStart', {
         name: 'String.prototype.trimStart',
         patchType,
-        post: createPostHook('trimStart')
+        post: createPostHook('trimStart'),
+        usePerf: true,
       });
       patcher.patch(String.prototype, 'trimEnd', {
         name: 'String.prototype.trimEnd',
         patchType,
         post: createPostHook('trimEnd', 0),
+        usePerf: true,
       });
     },
     uninstall() {

package/lib/dataflow/propagation/install/string/trim.test.js CHANGED Viewed

@@ -6,6 +6,7 @@ const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow propagation string trim', function () {
   let core, tracker, trackString, simulateRequestScope;
+  const allPatcher = new Map();
   beforeEach(function () {
     ({
@@ -23,6 +24,18 @@ describe('assess dataflow propagation string trim', function () {
     sinon.resetHistory();
   });
+  // eslint-disable-next-line mocha/no-sibling-hooks
+  afterEach(function() {
+    core.Perf.fromAllToMap('patcher', allPatcher);
+  });
+  after(function() {
+    const stats = core.Perf.getStats(allPatcher);
+    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
+      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
+    }
+  });
   [
     {
       str: 'not-tracked',

package/lib/dataflow/propagation/install/unescape.js CHANGED Viewed

@@ -15,19 +15,16 @@
 'use strict';
-const {
-  DataflowTag: { WEAK_URL_ENCODED }
-} = require('@contrast/common');
-const {
-  createFullLengthCopyTags
-} = require('../../tag-utils');
+const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
+const { createFullLengthCopyTags } = require('../../tag-utils');
 const { patchType, createObjectLabel } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +39,7 @@ module.exports = function(core) {
         patchType,
         post(data) {
           const { args, result, hooked, orig } = data;
-          if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+          if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
           const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/unescape.test.js CHANGED Viewed

@@ -58,12 +58,12 @@ describe('assess dataflow propagation unescape', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('%3Ftest%3Dstr');
       const result = unescape(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED Viewed

@@ -15,17 +15,16 @@
 'use strict';
-const {
-  createFullLengthCopyTags
-} = require('../../../tag-utils');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
+const { createFullLengthCopyTags } = require('../../../tag-utils');
 const { patchType, createModuleLabel } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -42,7 +41,7 @@ module.exports = function(core) {
             patchType,
             post(data) {
               const { args, result, hooked, orig } = data;
-              if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+              if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
               const argInfo = tracker.getData(args[0]);

package/lib/dataflow/propagation/install/url/domain-parsers.test.js CHANGED Viewed

@@ -43,12 +43,12 @@ describe('assess dataflow propagation url domain-parsers', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess store in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = url.domainToASCII(value);
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/parse.js CHANGED Viewed

@@ -15,14 +15,15 @@
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
@@ -88,7 +89,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [url, parseQueryString] = args;
             const argInfo = tracker.getData(url);

package/lib/dataflow/propagation/install/url/parse.test.js CHANGED Viewed

@@ -67,14 +67,14 @@ describe('assess dataflow propagation url.parse', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.parse('http://'.concat(value, ':3000/path'));
       keys.forEach((key) => {
         expect(tracker.getData(result[key])).to.be.null;
       });
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/searchParams.js CHANGED Viewed

@@ -15,17 +15,18 @@
 'use strict';
-const { patchType } = require('../../common');
-const { isString, StringPrototypeConcat, StringPrototypeReplaceAll } = require('@contrast/common');
+const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
       inspect, // todo: remove
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -60,7 +61,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.urlInstrumentation.searchParams = {
     install() {
       depHooks.resolve({ name: 'url' }, (url) => {
         const name = 'url.URLSearchParams';
         patcher.patch(url, 'URLSearchParams', {
@@ -68,7 +68,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, obj, result } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [params] = args;

package/lib/dataflow/propagation/install/url/searchParams.test.js CHANGED Viewed

@@ -40,14 +40,14 @@ describe('assess dataflow propagation url.URLSearchParams', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.URLSearchParams('?query='.concat(value));
       const input = result.get('query');
       expect(input).to.be.equal('foo');
       expect(tracker.getData(input)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if instrumentation is locked', function () {

package/lib/dataflow/propagation/install/url/url.js CHANGED Viewed

@@ -15,14 +15,17 @@
 'use strict';
+const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
 const { patchType } = require('../../common');
+const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
@@ -91,7 +94,7 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result } = data;
-            if (!result || !args[0] || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !getSourceContext(PROPAGATOR)) return;
             const [input, basename] = args;
             let url = input;
@@ -143,7 +146,7 @@ module.exports = function(core) {
                   if (part !== 'null') {
                     if (key === 'origin') {
-                      const [protocol, originWithoutProtocol] = part.split(new RegExp('(?<=//)'));
+                      const [protocol, originWithoutProtocol] = StringPrototypeSplit.call(part, new RegExp('(?<=//)'));
                       const idx1 = href.indexOf(protocol);
                       const idx2 = href.indexOf(originWithoutProtocol, idx - 1);
                       substr = href.substring(idx1, idx1 + protocol.length).concat(href.substring(idx2, idx2 + originWithoutProtocol.length));

package/lib/dataflow/propagation/install/url/url.test.js CHANGED Viewed

@@ -67,14 +67,14 @@ describe('assess dataflow propagation url.URL', function () {
     });
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = new url.URL('http://'.concat(value, ':3000/path'));
       keys.forEach((key) => {
         expect(tracker.getData(result[key])).to.be.null;
       });
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -15,16 +15,17 @@
 'use strict';
-const { patchType } = require('../common');
-const { isString } = require('@contrast/common');
+const { isString, primordials: { StringPrototypeMatch, StringPrototypeToLowerCase } } = require('@contrast/common');
+const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
+const { patchType } = require('../common');
 module.exports = function(core) {
   const {
-    scopes: { sources, instrumentation },
     patcher,
     depHooks,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -40,13 +41,13 @@ module.exports = function(core) {
           patchType,
           post(data) {
             const { args, result, hooked, orig } = data;
-            if (!result || !args[0] || !isString(args[0]) || !sources.getStore()?.assess || instrumentation.isLocked()) return;
+            if (!result || !args[0] || !isString(args[0]) || !getSourceContext(PROPAGATOR)) return;
             let idx = 0;
             let newTags = {};
             const history = [];
             const eventArgs = [];
-            const formatChars = args[0].includes('%') ? args[0].match(/[^%]+/g).map((x) => x[0]) : [];
+            const formatChars = args[0].includes('%') ? StringPrototypeMatch.call(args[0], /[^%]+/g).map((x) => x[0]) : [];
             let i = 0;
             if (formatChars.length > 0) {
@@ -61,7 +62,7 @@ module.exports = function(core) {
                 if (formatChar === 'j') {
                   arg = JSON.stringify(arg);
-                } else if (formatChar.toLowerCase() === 'o') {
+                } else if (StringPrototypeToLowerCase.call(formatChar) === 'o') {
                   // TO-DO: NODE-3235
                 }
               }

package/lib/dataflow/propagation/install/util-format.test.js CHANGED Viewed

@@ -25,12 +25,12 @@ describe('assess dataflow propagation util.format', function () {
     core.depHooks.resolve.yield(util);
   });
-  it('will not propagate if there is no assess context', function () {
+  it('will not propagate if there is no assess policy in request context', function () {
     simulateRequestScope(function () {
       const value = trackString('foo');
       const result = util.format('%s:%s', value, 'bar');
       expect(tracker.getData(result)).to.be.null;
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('will not propagate if there instrumentation is locked', function () {

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -26,6 +26,7 @@ module.exports = function (core) {
     depHooks,
     patcher,
     assess: {
+      getSourceContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
@@ -73,7 +74,8 @@ module.exports = function (core) {
                 const matches = validator === 'matches';
                 if (
                   data.result &&
-                  (!matches || (matches && core.config.assess.trust_custom_validators))
+                  (!matches || (matches && core.config.assess.trust_custom_validators)) &&
+                  getSourceContext()
                 ) {
                   const trackingData = tracker.getData(data.args[0]);
                   if (trackingData) {
@@ -104,7 +106,7 @@ module.exports = function (core) {
             name: `validator.${untracker}`,
             patchType,
             post(data) {
-              if (data.result) {
+              if (data.result && getSourceContext()) {
                 const trackingData = tracker.getData(data.args[0]);
                 if (trackingData) {
                   tracker.untrack(data.args[0]);
@@ -121,6 +123,7 @@ module.exports = function (core) {
             name: `validator.${sanitizer}`,
             patchType,
             post(data) {
+              if (!getSourceContext()) return;
               const trackingData = tracker.getData(data.args[0]);
               if (trackingData) {
                 const newTags = {};
@@ -153,6 +156,8 @@ module.exports = function (core) {
             name: `validator.${method}`,
             patchType,
             post(data) {
+              if (!getSourceContext()) return;
               const options = data.args[1];
               const trackingData = tracker.getData(data.args[0]);

package/lib/dataflow/sinks/install/child-process.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const {
   DataflowTag: { UNTRUSTED },
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
   Rule: { CMD_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');

package/lib/dataflow/sinks/install/child-process.test.js CHANGED Viewed

@@ -6,7 +6,7 @@ const {
 const sinon = require('sinon');
 const { expect } = require('chai');
 const { initAssessFixture } = require('@contrast/test/fixtures');
-const { UtilInspect } = require('@contrast/common');
+const { primordials: { UtilInspect } } = require('@contrast/common');
 describe('assess dataflow sinks child_process', function () {
   let core, child_process, simulateRequestScope, trackString, tracker, reportFindings;

package/lib/dataflow/sinks/install/fs.js CHANGED Viewed

@@ -26,7 +26,7 @@ const {
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');

package/lib/dataflow/sinks/install/fs.test.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const sinon = require('sinon');
 const { expect } = require('chai');
-const { FS_METHODS, ArrayPrototypeJoin, UtilInspect } = require('@contrast/common');
+const { FS_METHODS, primordials: { ArrayPrototypeJoin, UtilInspect } } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow sinks path-traversal', function () {

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -17,7 +17,7 @@
 const {
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
   DataflowTag: {
     UNTRUSTED,
     CUSTOM_ENCODED_TRUST_BOUNDARY_VIOLATION,

package/lib/dataflow/sinks/install/http/request.js CHANGED Viewed

@@ -27,6 +27,7 @@ const {
     LIMITED_CHARS
   },
   Rule: { SSRF: ruleId },
+  primordials: { RegExpPrototypeExec }
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
@@ -84,7 +85,7 @@ module.exports = function(core) {
   function containsTrustedLib(stack) {
     for (const { file } of stack) {
       for (const trusted of trustedLibs) {
-        if (trusted.exec(file)) {
+        if (RegExpPrototypeExec.call(trusted, file)) {
           return true;
         }
       }

package/lib/dataflow/sinks/install/http/request.test.js CHANGED Viewed

@@ -7,7 +7,7 @@ const {
     UNTRUSTED,
     LIMITED_CHARS
   },
-  UtilInspect
+  primordials: { UtilInspect }
 } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');

package/lib/dataflow/sinks/install/http/server-response.test.js CHANGED Viewed

@@ -73,17 +73,15 @@ describe('assess dataflow sinks http, http2, spdy', function () {
           });
           it('skips instrumentation if the content-type is safe', function () {
-            const store = {
-              assess: { responseData: { contentType: 'application/json' } },
-            };
             simulateRequestScope(function () {
+              core.scopes.sources.getStore().assess.responseData.contentType = 'application/json';
               const str = trackString('hello world');
               const { extern } = tracker.getData(str);
               response[method](extern);
               expect(reportFindings).to.not.have.been.called;
-            }, store);
+            });
           });
           it('skips instrumentation if the string is safe', function () {

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -26,7 +26,7 @@ const {
     URL_ENCODED,
   },
   isString,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -27,8 +27,10 @@ const {
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
   isNonEmptyObject,
   isString,
-  ArrayPrototypeJoin,
-  StringPrototypeSplit,
+  primordials: {
+    ArrayPrototypeJoin,
+    StringPrototypeSplit,
+  },
   traverseValues,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');