@contrast/assess 1.40.0 → 1.42.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/crypto-analysis/install/crypto.js +4 -5
- package/lib/crypto-analysis/install/crypto.test.js +1 -1
- package/lib/crypto-analysis/install/math.js +2 -4
- package/lib/dataflow/propagation/install/JSON/parse.js +2 -3
- package/lib/dataflow/propagation/install/JSON/stringify.js +3 -4
- package/lib/dataflow/propagation/install/array-prototype-join.js +2 -3
- package/lib/dataflow/propagation/install/buffer.js +3 -4
- package/lib/dataflow/propagation/install/contrast-methods/add.js +2 -3
- package/lib/dataflow/propagation/install/contrast-methods/number.js +2 -3
- package/lib/dataflow/propagation/install/contrast-methods/string.js +2 -3
- package/lib/dataflow/propagation/install/contrast-methods/tag.js +2 -3
- package/lib/dataflow/propagation/install/decode-uri-component.js +2 -3
- package/lib/dataflow/propagation/install/ejs/escape-xml.js +3 -4
- package/lib/dataflow/propagation/install/ejs/template.js +3 -4
- package/lib/dataflow/propagation/install/ejs/template.test.js +1 -1
- package/lib/dataflow/propagation/install/encode-uri.js +2 -3
- package/lib/dataflow/propagation/install/escape-html.js +3 -4
- package/lib/dataflow/propagation/install/escape.js +2 -3
- package/lib/dataflow/propagation/install/fastify-send.js +3 -3
- package/lib/dataflow/propagation/install/fastify-send.test.js +1 -3
- package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +3 -4
- package/lib/dataflow/propagation/install/isnumeric-0.js +1 -1
- package/lib/dataflow/propagation/install/joi/any.js +1 -1
- package/lib/dataflow/propagation/install/joi/any.test.js +1 -1
- package/lib/dataflow/propagation/install/joi/array.test.js +5 -5
- package/lib/dataflow/propagation/install/joi/boolean.js +3 -3
- package/lib/dataflow/propagation/install/joi/boolean.test.js +1 -1
- package/lib/dataflow/propagation/install/joi/expression.js +3 -3
- package/lib/dataflow/propagation/install/joi/expression.test.js +1 -1
- package/lib/dataflow/propagation/install/joi/index.js +3 -3
- package/lib/dataflow/propagation/install/joi/keys.js +3 -3
- package/lib/dataflow/propagation/install/joi/number.js +3 -3
- package/lib/dataflow/propagation/install/joi/number.test.js +1 -1
- package/lib/dataflow/propagation/install/joi/object.js +1 -1
- package/lib/dataflow/propagation/install/joi/object.test.js +1 -1
- package/lib/dataflow/propagation/install/joi/ref.test.js +4 -4
- package/lib/dataflow/propagation/install/joi/string-schema.js +4 -4
- package/lib/dataflow/propagation/install/joi/string-schema.test.js +4 -4
- package/lib/dataflow/propagation/install/joi/values.js +3 -3
- package/lib/dataflow/propagation/install/mongoose/schema-map.js +4 -4
- package/lib/dataflow/propagation/install/mongoose/schema-mixed.js +4 -4
- package/lib/dataflow/propagation/install/mongoose/schema-string.js +4 -4
- package/lib/dataflow/propagation/install/mustache-escape.js +3 -4
- package/lib/dataflow/propagation/install/mustache-escape.test.js +1 -1
- package/lib/dataflow/propagation/install/mysql-connection-escape.js +22 -14
- package/lib/dataflow/propagation/install/mysql-connection-escape.test.js +1 -1
- package/lib/dataflow/propagation/install/parse-int.js +2 -3
- package/lib/dataflow/propagation/install/path/basename.js +3 -4
- package/lib/dataflow/propagation/install/path/dirname.js +3 -4
- package/lib/dataflow/propagation/install/path/extname.js +3 -4
- package/lib/dataflow/propagation/install/path/format.js +3 -4
- package/lib/dataflow/propagation/install/path/index.test.js +1 -1
- package/lib/dataflow/propagation/install/path/join-and-resolve.js +3 -4
- package/lib/dataflow/propagation/install/path/normalize.js +4 -5
- package/lib/dataflow/propagation/install/path/parse.js +3 -4
- package/lib/dataflow/propagation/install/path/relative.js +4 -5
- package/lib/dataflow/propagation/install/path/toNamespacedPath.js +3 -4
- package/lib/dataflow/propagation/install/pug/index.js +3 -4
- package/lib/dataflow/propagation/install/pug-runtime-escape.js +3 -4
- package/lib/dataflow/propagation/install/querystring/escape.js +3 -4
- package/lib/dataflow/propagation/install/querystring/escape.test.js +1 -1
- package/lib/dataflow/propagation/install/querystring/parse.js +3 -4
- package/lib/dataflow/propagation/install/querystring/parse.test.js +1 -1
- package/lib/dataflow/propagation/install/querystring/stringify.js +3 -4
- package/lib/dataflow/propagation/install/querystring/stringify.test.js +1 -1
- package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +2 -3
- package/lib/dataflow/propagation/install/send.js +3 -3
- package/lib/dataflow/propagation/install/sequelize/query-generator.js +3 -3
- package/lib/dataflow/propagation/install/sequelize/query-generator.test.js +2 -1
- package/lib/dataflow/propagation/install/sequelize/sql-string.js +5 -5
- package/lib/dataflow/propagation/install/sql-template-strings.js +3 -3
- package/lib/dataflow/propagation/install/string/concat.js +2 -3
- package/lib/dataflow/propagation/install/string/format-methods.js +2 -3
- package/lib/dataflow/propagation/install/string/html-methods.js +3 -4
- package/lib/dataflow/propagation/install/string/match-all.js +2 -3
- package/lib/dataflow/propagation/install/string/match.js +2 -3
- package/lib/dataflow/propagation/install/string/replace.js +2 -3
- package/lib/dataflow/propagation/install/string/slice.js +2 -3
- package/lib/dataflow/propagation/install/string/split.js +2 -3
- package/lib/dataflow/propagation/install/string/substring.js +2 -3
- package/lib/dataflow/propagation/install/string/trim.js +2 -3
- package/lib/dataflow/propagation/install/unescape.js +2 -3
- package/lib/dataflow/propagation/install/url/domain-parsers.js +3 -4
- package/lib/dataflow/propagation/install/url/parse.js +3 -4
- package/lib/dataflow/propagation/install/url/parse.test.js +2 -2
- package/lib/dataflow/propagation/install/url/searchParams.js +3 -4
- package/lib/dataflow/propagation/install/url/url.js +3 -4
- package/lib/dataflow/propagation/install/util-format.js +3 -4
- package/lib/dataflow/propagation/install/validator/hooks.js +9 -9
- package/lib/dataflow/sinks/install/child-process.js +5 -6
- package/lib/dataflow/sinks/install/eval.js +2 -3
- package/lib/dataflow/sinks/install/express/reflected-xss.js +3 -4
- package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +3 -4
- package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +3 -4
- package/lib/dataflow/sinks/install/fs.js +4 -5
- package/lib/dataflow/sinks/install/fs.test.js +2 -2
- package/lib/dataflow/sinks/install/function.js +2 -3
- package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js +3 -4
- package/lib/dataflow/sinks/install/http/request.js +3 -4
- package/lib/dataflow/sinks/install/http/request.test.js +2 -2
- package/lib/dataflow/sinks/install/http/server-response.js +5 -6
- package/lib/dataflow/sinks/install/http/server-response.test.js +3 -3
- package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +3 -4
- package/lib/dataflow/sinks/install/libxmljs.js +4 -5
- package/lib/dataflow/sinks/install/libxmljs.test.js +2 -2
- package/lib/dataflow/sinks/install/marsdb.js +3 -4
- package/lib/dataflow/sinks/install/marsdb.test.js +3 -3
- package/lib/dataflow/sinks/install/mongodb.js +3 -4
- package/lib/dataflow/sinks/install/mongodb.test.js +2 -6
- package/lib/dataflow/sinks/install/mssql.js +4 -5
- package/lib/dataflow/sinks/install/mssql.test.js +2 -2
- package/lib/dataflow/sinks/install/mysql.js +4 -5
- package/lib/dataflow/sinks/install/mysql.test.js +2 -11
- package/lib/dataflow/sinks/install/node-serialize.js +3 -4
- package/lib/dataflow/sinks/install/node-serialize.test.js +1 -3
- package/lib/dataflow/sinks/install/postgres.js +5 -6
- package/lib/dataflow/sinks/install/postgres.test.js +3 -9
- package/lib/dataflow/sinks/install/restify.js +3 -4
- package/lib/dataflow/sinks/install/restify.test.js +3 -5
- package/lib/dataflow/sinks/install/sequelize.js +3 -4
- package/lib/dataflow/sinks/install/sqlite3.js +3 -4
- package/lib/dataflow/sinks/install/vm.js +3 -4
- package/lib/dataflow/sources/install/body-parser1.js +2 -4
- package/lib/dataflow/sources/install/body-parser1.test.js +4 -8
- package/lib/dataflow/sources/install/busboy.js +3 -4
- package/lib/dataflow/sources/install/busboy.test.js +2 -2
- package/lib/dataflow/sources/install/cookie-parser1.js +2 -4
- package/lib/dataflow/sources/install/cookie-parser1.test.js +2 -4
- package/lib/dataflow/sources/install/express/params.js +56 -38
- package/lib/dataflow/sources/install/express/params.test.js +80 -73
- package/lib/dataflow/sources/install/express/parsedUrl.js +45 -29
- package/lib/dataflow/sources/install/express/parsedUrl.test.js +71 -29
- package/lib/dataflow/sources/install/fastify/fastify.js +2 -3
- package/lib/dataflow/sources/install/fastify/fastify.test.js +3 -6
- package/lib/dataflow/sources/install/formidable1.js +2 -3
- package/lib/dataflow/sources/install/hapi/hapi.js +1 -2
- package/lib/dataflow/sources/install/http.js +2 -3
- package/lib/dataflow/sources/install/http.test.js +2 -2
- package/lib/dataflow/sources/install/koa/koa-bodyparsers.js +3 -5
- package/lib/dataflow/sources/install/koa/koa-multer.js +3 -4
- package/lib/dataflow/sources/install/koa/koa-multer.test.js +1 -1
- package/lib/dataflow/sources/install/koa/koa-routers.js +3 -4
- package/lib/dataflow/sources/install/koa/koa2.js +2 -4
- package/lib/dataflow/sources/install/multer1.js +2 -3
- package/lib/dataflow/sources/install/multer1.test.js +1 -3
- package/lib/dataflow/sources/install/qs6.js +2 -4
- package/lib/dataflow/sources/install/querystring.js +2 -3
- package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js +2 -3
- package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.test.js +1 -1
- package/lib/dataflow/sources/install/restify/jsonBodyParser.js +2 -3
- package/lib/dataflow/sources/install/restify/jsonBodyParser.test.js +1 -1
- package/lib/dataflow/sources/install/restify/router.js +2 -4
- package/lib/dataflow/sources/install/restify/router.test.js +4 -6
- package/lib/get-source-context.js +77 -37
- package/lib/get-source-context.test.js +106 -53
- package/lib/index.d.ts +3 -9
- package/lib/response-scanning/install/http.js +3 -3
- package/lib/response-scanning/install/http.test.js +2 -2
- package/lib/session-configuration/install/express-session.js +1 -1
- package/lib/session-configuration/install/express-session.test.js +1 -3
- package/lib/session-configuration/install/fastify-cookie.js +1 -1
- package/lib/session-configuration/install/fastify-cookie.test.js +1 -3
- package/lib/session-configuration/install/koa.js +1 -1
- package/lib/session-configuration/install/koa.test.js +1 -1
- package/package.json +11 -11
- package/lib/constants.js +0 -26
- package/lib/dataflow/sinks/install/fs-original.js +0 -170
|
@@ -23,7 +23,7 @@ module.exports = function(core) {
|
|
|
23
23
|
depHooks,
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
-
|
|
26
|
+
getPropagatorContext,
|
|
27
27
|
inspect, // TODO NODE-3455: remove
|
|
28
28
|
eventFactory: { createPropagationEvent },
|
|
29
29
|
dataflow: { tracker },
|
|
@@ -40,7 +40,7 @@ module.exports = function(core) {
|
|
|
40
40
|
patchType,
|
|
41
41
|
usePerf: 'sync',
|
|
42
42
|
post(data) {
|
|
43
|
-
if (!data.result || !
|
|
43
|
+
if (!data.result || !getPropagatorContext()) return;
|
|
44
44
|
|
|
45
45
|
const argInfo = tracker.getData(data.args[0]);
|
|
46
46
|
|
|
@@ -82,7 +82,7 @@ module.exports = function(core) {
|
|
|
82
82
|
core.assess.dataflow.propagation.joiInstrumentation.expression = {
|
|
83
83
|
install() {
|
|
84
84
|
depHooks.resolve(
|
|
85
|
-
{ name: 'joi', file: 'lib/index.js', version: '>=17
|
|
85
|
+
{ name: 'joi', file: 'lib/index.js', version: '>=17 <18' },
|
|
86
86
|
(joi) => {
|
|
87
87
|
instrumentJoiExpression(joi, 'expression');
|
|
88
88
|
instrumentJoiExpression(joi, 'x');
|
|
@@ -12,7 +12,7 @@ describe('assess dataflow propagation joi expression', function() {
|
|
|
12
12
|
tracker = core.assess.dataflow.tracker;
|
|
13
13
|
core.config.assess.trust_custom_validators = true;
|
|
14
14
|
|
|
15
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/index.js', version: '>=17
|
|
15
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/index.js', version: '>=17 <18' }).yields(require('joi-17/lib/index'));
|
|
16
16
|
|
|
17
17
|
require('./index')(core).install();
|
|
18
18
|
joi = require('joi-17');
|
|
@@ -28,7 +28,7 @@ module.exports = function(core) {
|
|
|
28
28
|
const {
|
|
29
29
|
patcher,
|
|
30
30
|
assess: {
|
|
31
|
-
|
|
31
|
+
getPropagatorContext,
|
|
32
32
|
inspect, // TODO NODE-3455: remove
|
|
33
33
|
eventFactory: { createPropagationEvent },
|
|
34
34
|
dataflow: { tracker },
|
|
@@ -62,7 +62,7 @@ module.exports = function(core) {
|
|
|
62
62
|
return schema.$_terms?.externals?.length;
|
|
63
63
|
})) ||
|
|
64
64
|
!core.config.assess.trust_custom_validators ||
|
|
65
|
-
!
|
|
65
|
+
!getPropagatorContext()
|
|
66
66
|
)
|
|
67
67
|
return;
|
|
68
68
|
|
|
@@ -111,7 +111,7 @@ module.exports = function(core) {
|
|
|
111
111
|
(result.value === input &&
|
|
112
112
|
(result.messages?.source || result.local?.error)) ||
|
|
113
113
|
!core.config.assess.trust_custom_validators ||
|
|
114
|
-
!
|
|
114
|
+
!getPropagatorContext()
|
|
115
115
|
)
|
|
116
116
|
return;
|
|
117
117
|
|
|
@@ -28,7 +28,7 @@ module.exports = function(core) {
|
|
|
28
28
|
const {
|
|
29
29
|
depHooks,
|
|
30
30
|
patcher,
|
|
31
|
-
assess: {
|
|
31
|
+
assess: { getPropagatorContext }
|
|
32
32
|
} = core;
|
|
33
33
|
|
|
34
34
|
function addMetadata(schema, refTargetPath, refPath, isInReference) {
|
|
@@ -126,7 +126,7 @@ module.exports = function(core) {
|
|
|
126
126
|
return core.assess.dataflow.propagation.joiInstrumentation.keys = {
|
|
127
127
|
install() {
|
|
128
128
|
depHooks.resolve(
|
|
129
|
-
{ name: 'joi', file: 'lib/types/keys.js', version: '>=17
|
|
129
|
+
{ name: 'joi', file: 'lib/types/keys.js', version: '>=17 <18' },
|
|
130
130
|
(joi) => {
|
|
131
131
|
patcher.patch(Object.getPrototypeOf(joi), 'keys', {
|
|
132
132
|
name: 'joi.keys',
|
|
@@ -136,7 +136,7 @@ module.exports = function(core) {
|
|
|
136
136
|
const [value] = data.args;
|
|
137
137
|
const joi = data.obj.$_root;
|
|
138
138
|
|
|
139
|
-
if (!
|
|
139
|
+
if (!getPropagatorContext()) return;
|
|
140
140
|
traverseSchemas(joi, value, value);
|
|
141
141
|
},
|
|
142
142
|
});
|
|
@@ -25,7 +25,7 @@ module.exports = function(core) {
|
|
|
25
25
|
depHooks,
|
|
26
26
|
patcher,
|
|
27
27
|
assess: {
|
|
28
|
-
|
|
28
|
+
getPropagatorContext,
|
|
29
29
|
inspect, // TODO NODE-3455: remove
|
|
30
30
|
eventFactory: { createPropagationEvent },
|
|
31
31
|
dataflow: { tracker },
|
|
@@ -48,7 +48,7 @@ module.exports = function(core) {
|
|
|
48
48
|
if (
|
|
49
49
|
!data.result?.value ||
|
|
50
50
|
data.result.errors ||
|
|
51
|
-
!
|
|
51
|
+
!getPropagatorContext()
|
|
52
52
|
) return;
|
|
53
53
|
|
|
54
54
|
const argInfo = tracker.getData(data.args[0]);
|
|
@@ -98,7 +98,7 @@ module.exports = function(core) {
|
|
|
98
98
|
return core.assess.dataflow.propagation.joiInstrumentation.numberCoerce = {
|
|
99
99
|
install() {
|
|
100
100
|
depHooks.resolve(
|
|
101
|
-
{ name: 'joi', file: 'lib/types/number.js', version: '>=17
|
|
101
|
+
{ name: 'joi', file: 'lib/types/number.js', version: '>=17 <18' },
|
|
102
102
|
instrumentJoiNumber
|
|
103
103
|
);
|
|
104
104
|
},
|
|
@@ -28,7 +28,7 @@ module.exports = function(core) {
|
|
|
28
28
|
joiInstrumentation.object = {
|
|
29
29
|
install() {
|
|
30
30
|
depHooks.resolve(
|
|
31
|
-
{ name: 'joi', file: 'lib/types/object', version: '>=17
|
|
31
|
+
{ name: 'joi', file: 'lib/types/object', version: '>=17 <18' },
|
|
32
32
|
(exp) => {
|
|
33
33
|
const objectTypePrototype = Object.getPrototypeOf(exp);
|
|
34
34
|
const def = objectTypePrototype?._definition;
|
|
@@ -12,7 +12,7 @@ describe('assess dataflow propagation joi object validator with custom or extern
|
|
|
12
12
|
tracker = core.assess.dataflow.tracker;
|
|
13
13
|
core.config.assess.trust_custom_validators = true;
|
|
14
14
|
|
|
15
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/object', version: '>=17
|
|
15
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/object', version: '>=17 <18' }).yields(require('joi-17/lib/types/object'));
|
|
16
16
|
|
|
17
17
|
require('./index')(core).install();
|
|
18
18
|
joi = require('joi-17');
|
|
@@ -11,10 +11,10 @@ describe('assess dataflow propagation joi string and ref', function() {
|
|
|
11
11
|
({ core, simulateRequestScope, trackString } = initAssessFixture());
|
|
12
12
|
tracker = core.assess.dataflow.tracker;
|
|
13
13
|
|
|
14
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17
|
|
15
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17
|
|
16
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17
|
|
17
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17
|
|
14
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/string'));
|
|
15
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/keys'));
|
|
16
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17 <18' }).yields(require('joi-17/lib/validator'));
|
|
17
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17 <18' }).yields(require('joi-17/lib/values'));
|
|
18
18
|
|
|
19
19
|
require('./index')(core).install();
|
|
20
20
|
joi = require('joi-17');
|
|
@@ -41,7 +41,7 @@ module.exports = function(core) {
|
|
|
41
41
|
depHooks,
|
|
42
42
|
patcher,
|
|
43
43
|
assess: {
|
|
44
|
-
|
|
44
|
+
getPropagatorContext,
|
|
45
45
|
inspect, // TODO NODE-3455: remove
|
|
46
46
|
eventFactory: { createPropagationEvent },
|
|
47
47
|
dataflow: {
|
|
@@ -113,7 +113,7 @@ module.exports = function(core) {
|
|
|
113
113
|
!input ||
|
|
114
114
|
(validatorName !== 'validate' && typeof data.result !== 'string') ||
|
|
115
115
|
(validatorName === 'validate' && data.result) ||
|
|
116
|
-
!
|
|
116
|
+
!getPropagatorContext()
|
|
117
117
|
) return;
|
|
118
118
|
|
|
119
119
|
const inspectedSchema = inspect(schema);
|
|
@@ -146,7 +146,7 @@ module.exports = function(core) {
|
|
|
146
146
|
!args[0] ||
|
|
147
147
|
// currently, we are losing track of coerced isoDate only
|
|
148
148
|
!args[1].schema.$_getRule('isoDate') ||
|
|
149
|
-
!
|
|
149
|
+
!getPropagatorContext()
|
|
150
150
|
) return;
|
|
151
151
|
|
|
152
152
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -194,7 +194,7 @@ module.exports = function(core) {
|
|
|
194
194
|
return joiInstrumentation.stringSchema = {
|
|
195
195
|
install() {
|
|
196
196
|
depHooks.resolve(
|
|
197
|
-
{ name: 'joi', file: 'lib/types/string.js', version: '>=17
|
|
197
|
+
{ name: 'joi', file: 'lib/types/string.js', version: '>=17 <18' },
|
|
198
198
|
(stringType) => {
|
|
199
199
|
const stringTypePrototype = Object.getPrototypeOf(stringType);
|
|
200
200
|
const definition = stringTypePrototype?._definition;
|
|
@@ -11,10 +11,10 @@ describe('assess dataflow propagation joi string', function() {
|
|
|
11
11
|
({ core, simulateRequestScope, trackString } = initAssessFixture());
|
|
12
12
|
tracker = core.assess.dataflow.tracker;
|
|
13
13
|
|
|
14
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17
|
|
15
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17
|
|
16
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17
|
|
17
|
-
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17
|
|
14
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/string'));
|
|
15
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/keys'));
|
|
16
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17 <18' }).yields(require('joi-17/lib/validator'));
|
|
17
|
+
core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17 <18' }).yields(require('joi-17/lib/values'));
|
|
18
18
|
|
|
19
19
|
require('./index')(core).install();
|
|
20
20
|
strInstr = require('../string')(core);
|
|
@@ -26,7 +26,7 @@ module.exports = function(core) {
|
|
|
26
26
|
depHooks,
|
|
27
27
|
patcher,
|
|
28
28
|
assess: {
|
|
29
|
-
|
|
29
|
+
getPropagatorContext,
|
|
30
30
|
inspect, // TODO NODE-3455: remove
|
|
31
31
|
eventFactory: { createPropagationEvent },
|
|
32
32
|
dataflow: { tracker },
|
|
@@ -47,7 +47,7 @@ module.exports = function(core) {
|
|
|
47
47
|
if (
|
|
48
48
|
!value ||
|
|
49
49
|
!result ||
|
|
50
|
-
!
|
|
50
|
+
!getPropagatorContext()
|
|
51
51
|
) return;
|
|
52
52
|
|
|
53
53
|
const metadata = {
|
|
@@ -145,7 +145,7 @@ module.exports = function(core) {
|
|
|
145
145
|
return core.assess.dataflow.propagation.joiInstrumentation.values = {
|
|
146
146
|
install() {
|
|
147
147
|
depHooks.resolve(
|
|
148
|
-
{ name: 'joi', file: 'lib/values.js', version: '>=17
|
|
148
|
+
{ name: 'joi', file: 'lib/values.js', version: '>=17 <18' },
|
|
149
149
|
instrumentJoiValues
|
|
150
150
|
);
|
|
151
151
|
},
|
|
@@ -24,7 +24,7 @@ module.exports = function (core) {
|
|
|
24
24
|
patcher,
|
|
25
25
|
depHooks,
|
|
26
26
|
assess: {
|
|
27
|
-
|
|
27
|
+
getPropagatorContext,
|
|
28
28
|
eventFactory: { createPropagationEvent },
|
|
29
29
|
dataflow: {
|
|
30
30
|
tracker,
|
|
@@ -101,7 +101,7 @@ module.exports = function (core) {
|
|
|
101
101
|
|
|
102
102
|
schemaMap.install = function () {
|
|
103
103
|
depHooks.resolve(
|
|
104
|
-
{ name: 'mongoose', file: 'lib/schema/map.js', version: '>=5
|
|
104
|
+
{ name: 'mongoose', file: 'lib/schema/map.js', version: '>=5 <9' },
|
|
105
105
|
(SchemaMap) => {
|
|
106
106
|
const doValidateSyncName = 'mongoose.map.prototype.doValidateSync';
|
|
107
107
|
patcher.patch(SchemaMap.prototype, 'doValidateSync', {
|
|
@@ -109,7 +109,7 @@ module.exports = function (core) {
|
|
|
109
109
|
patchType,
|
|
110
110
|
usePerf: 'sync',
|
|
111
111
|
post: (data) => {
|
|
112
|
-
if (!assess.trust_custom_validators || data.result || !
|
|
112
|
+
if (!assess.trust_custom_validators || data.result || !getPropagatorContext()) return;
|
|
113
113
|
|
|
114
114
|
mapInstrumentation(data, doValidateSyncName);
|
|
115
115
|
},
|
|
@@ -128,7 +128,7 @@ module.exports = function (core) {
|
|
|
128
128
|
if (
|
|
129
129
|
!value ||
|
|
130
130
|
typeof cb !== 'function' ||
|
|
131
|
-
!
|
|
131
|
+
!getPropagatorContext()
|
|
132
132
|
) {
|
|
133
133
|
return;
|
|
134
134
|
}
|
|
@@ -24,7 +24,7 @@ module.exports = function (core) {
|
|
|
24
24
|
patcher,
|
|
25
25
|
depHooks,
|
|
26
26
|
assess: {
|
|
27
|
-
|
|
27
|
+
getPropagatorContext,
|
|
28
28
|
eventFactory: { createPropagationEvent },
|
|
29
29
|
dataflow: {
|
|
30
30
|
tracker,
|
|
@@ -110,7 +110,7 @@ module.exports = function (core) {
|
|
|
110
110
|
|
|
111
111
|
schemaMixed.install = function () {
|
|
112
112
|
depHooks.resolve(
|
|
113
|
-
{ name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5
|
|
113
|
+
{ name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5 <9' },
|
|
114
114
|
(SchemaMixed) => {
|
|
115
115
|
const doValidateSyncName = 'mongoose.mixed.prototype.doValidateSync';
|
|
116
116
|
patcher.patch(SchemaMixed.prototype, 'doValidateSync', {
|
|
@@ -120,7 +120,7 @@ module.exports = function (core) {
|
|
|
120
120
|
if (
|
|
121
121
|
!assess.trust_custom_validators ||
|
|
122
122
|
data.result ||
|
|
123
|
-
!
|
|
123
|
+
!getPropagatorContext()
|
|
124
124
|
) {
|
|
125
125
|
return;
|
|
126
126
|
}
|
|
@@ -136,7 +136,7 @@ module.exports = function (core) {
|
|
|
136
136
|
patchType,
|
|
137
137
|
usePerf: 'tbd',
|
|
138
138
|
pre: (data) => {
|
|
139
|
-
if (!assess.trust_custom_validators || !
|
|
139
|
+
if (!assess.trust_custom_validators || !getPropagatorContext()) {
|
|
140
140
|
return;
|
|
141
141
|
}
|
|
142
142
|
|
|
@@ -29,7 +29,7 @@ module.exports = function (core) {
|
|
|
29
29
|
patcher,
|
|
30
30
|
depHooks,
|
|
31
31
|
assess: {
|
|
32
|
-
|
|
32
|
+
getPropagatorContext,
|
|
33
33
|
eventFactory: { createPropagationEvent },
|
|
34
34
|
dataflow: { tracker },
|
|
35
35
|
},
|
|
@@ -43,7 +43,7 @@ module.exports = function (core) {
|
|
|
43
43
|
post(data) {
|
|
44
44
|
// if a conditional is provided as the first argument castForQuery gets
|
|
45
45
|
// called subsequently with the individual value(s)
|
|
46
|
-
if (!
|
|
46
|
+
if (!getPropagatorContext() || data.args[0]) return;
|
|
47
47
|
|
|
48
48
|
const strInfo = tracker.getData(data.result);
|
|
49
49
|
if (!strInfo) return;
|
|
@@ -168,7 +168,7 @@ module.exports = function (core) {
|
|
|
168
168
|
usePerf: 'tbd',
|
|
169
169
|
pre(data) {
|
|
170
170
|
const [value, cb] = data.args;
|
|
171
|
-
if (!value || typeof cb !== 'function' || !
|
|
171
|
+
if (!value || typeof cb !== 'function' || !getPropagatorContext()) return;
|
|
172
172
|
|
|
173
173
|
const hasCustomValidator = data.obj.validators.some(
|
|
174
174
|
(validator) => validator.type === userDefinedType
|
|
@@ -293,7 +293,7 @@ module.exports = function (core) {
|
|
|
293
293
|
{
|
|
294
294
|
name: 'mongoose',
|
|
295
295
|
file: 'lib/schema/string.js',
|
|
296
|
-
version: '>=6
|
|
296
|
+
version: '>=6 <9',
|
|
297
297
|
},
|
|
298
298
|
(SchemaString, metadata) => {
|
|
299
299
|
patchCastForQuery(SchemaString, metadata);
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { DataflowTag: { HTML_ENCODED } } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
|
|
20
19
|
const { createEscapeTagRanges } = require('../../tag-utils');
|
|
21
20
|
const { patchType } = require('../common');
|
|
22
21
|
|
|
@@ -25,7 +24,7 @@ module.exports = function(core) {
|
|
|
25
24
|
patcher,
|
|
26
25
|
depHooks,
|
|
27
26
|
assess: {
|
|
28
|
-
|
|
27
|
+
getPropagatorContext,
|
|
29
28
|
eventFactory: { createPropagationEvent },
|
|
30
29
|
dataflow: { tracker }
|
|
31
30
|
}
|
|
@@ -33,7 +32,7 @@ module.exports = function(core) {
|
|
|
33
32
|
|
|
34
33
|
return core.assess.dataflow.propagation.mustacheEscape = {
|
|
35
34
|
install() {
|
|
36
|
-
depHooks.resolve({ name: 'mustache' }, (mustache) => {
|
|
35
|
+
depHooks.resolve({ name: 'mustache', version: '<5' }, (mustache) => {
|
|
37
36
|
const name = 'mustache.escape';
|
|
38
37
|
|
|
39
38
|
return patcher.patch(mustache, 'escape', {
|
|
@@ -42,7 +41,7 @@ module.exports = function(core) {
|
|
|
42
41
|
usePerf: 'sync',
|
|
43
42
|
post(data) {
|
|
44
43
|
const { args, result, hooked, orig } = data;
|
|
45
|
-
if (!result || !args[0] || !
|
|
44
|
+
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
46
45
|
|
|
47
46
|
const argInfo = tracker.getData(args[0]);
|
|
48
47
|
|
|
@@ -20,7 +20,7 @@ describe('assess dataflow propagation mustache.escape', function () {
|
|
|
20
20
|
|
|
21
21
|
tracker = core.assess.dataflow.tracker;
|
|
22
22
|
core.assess.dataflow.propagation.mustacheEscape.install();
|
|
23
|
-
core.depHooks.resolve.
|
|
23
|
+
core.depHooks.resolve.yield(mustache);
|
|
24
24
|
});
|
|
25
25
|
|
|
26
26
|
afterEach(function () {
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { DataflowTag: { SQL_ENCODED } } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
|
|
20
19
|
const { createFullLengthCopyTags } = require('../../tag-utils');
|
|
21
20
|
const { patchType, createModuleLabel } = require('../common');
|
|
22
21
|
|
|
@@ -25,7 +24,7 @@ module.exports = function(core) {
|
|
|
25
24
|
patcher,
|
|
26
25
|
depHooks,
|
|
27
26
|
assess: {
|
|
28
|
-
|
|
27
|
+
getPropagatorContext,
|
|
29
28
|
eventFactory: { createPropagationEvent },
|
|
30
29
|
dataflow: { tracker }
|
|
31
30
|
}
|
|
@@ -34,7 +33,7 @@ module.exports = function(core) {
|
|
|
34
33
|
function createPostHook(eventName, objectValue) {
|
|
35
34
|
return function(data) {
|
|
36
35
|
const { args, result, hooked, orig } = data;
|
|
37
|
-
if (!result || !args[0] || !
|
|
36
|
+
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
38
37
|
|
|
39
38
|
const argInfo = tracker.getData(args[0]);
|
|
40
39
|
|
|
@@ -87,18 +86,17 @@ module.exports = function(core) {
|
|
|
87
86
|
|
|
88
87
|
return core.assess.dataflow.propagation.mysqlEscape = {
|
|
89
88
|
install() {
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
});
|
|
89
|
+
// mysql
|
|
90
|
+
depHooks.resolve({ name: 'mysql', version: '<3' }, (mysql, version) => {
|
|
91
|
+
patcher.patch(mysql, 'escape', {
|
|
92
|
+
name: 'mysql.escape',
|
|
93
|
+
patchType,
|
|
94
|
+
usePerf: 'sync',
|
|
95
|
+
post: createPostHook('mysql.escape', `${createModuleLabel('mysql', version)}`)
|
|
98
96
|
});
|
|
99
97
|
});
|
|
100
98
|
|
|
101
|
-
depHooks.resolve({ name: 'mysql', file: 'lib/Connection.js' }, (mysqlConnection, version) => {
|
|
99
|
+
depHooks.resolve({ name: 'mysql', version: '<3', file: 'lib/Connection.js' }, (mysqlConnection, version) => {
|
|
102
100
|
patcher.patch(mysqlConnection.prototype, 'escape', {
|
|
103
101
|
name: 'mysql.Connection.prototype.escape',
|
|
104
102
|
patchType,
|
|
@@ -107,9 +105,19 @@ module.exports = function(core) {
|
|
|
107
105
|
});
|
|
108
106
|
});
|
|
109
107
|
|
|
110
|
-
|
|
108
|
+
// mysql2
|
|
109
|
+
depHooks.resolve({ name: 'mysql2', version: '<4' }, (mysql, version) => {
|
|
110
|
+
patcher.patch(mysql, 'escape', {
|
|
111
|
+
name: 'mysql2.escape',
|
|
112
|
+
patchType,
|
|
113
|
+
usePerf: 'sync',
|
|
114
|
+
post: createPostHook('mysql2.escape', `${createModuleLabel('mysql2', version)}`)
|
|
115
|
+
});
|
|
116
|
+
});
|
|
117
|
+
|
|
118
|
+
depHooks.resolve({ name: 'mysql2', version: '<4', file: 'lib/connection.js' }, (mysqlConnection, version) => {
|
|
111
119
|
patcher.patch(mysqlConnection.prototype, 'escape', {
|
|
112
|
-
name: '
|
|
120
|
+
name: 'mysql2.Connection.prototype.escape',
|
|
113
121
|
patchType,
|
|
114
122
|
usePerf: 'sync',
|
|
115
123
|
post: createPostHook('mysql2/lib/connection.Connection.escape', `[${createModuleLabel('mysql2', version)}].Connection`)
|
|
@@ -25,7 +25,7 @@ describe('assess dataflow propagation mysql.connection.escape', function () {
|
|
|
25
25
|
mockConnection.prototype.escape = (str) => `mock-escape_${str}_mock-escape`;
|
|
26
26
|
tracker = core.assess.dataflow.tracker;
|
|
27
27
|
core.assess.dataflow.propagation.mysqlEscape.install();
|
|
28
|
-
core.depHooks.resolve.withArgs({ name: 'mysql', file: 'lib/Connection.js' }).yield(mockConnection);
|
|
28
|
+
core.depHooks.resolve.withArgs(sinon.match({ name: 'mysql', file: 'lib/Connection.js' })).yield(mockConnection);
|
|
29
29
|
});
|
|
30
30
|
|
|
31
31
|
afterEach(function () {
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../constants');
|
|
20
19
|
const { patchType } = require('../common');
|
|
21
20
|
|
|
22
21
|
module.exports = function (core) {
|
|
@@ -24,7 +23,7 @@ module.exports = function (core) {
|
|
|
24
23
|
logger,
|
|
25
24
|
patcher,
|
|
26
25
|
assess: {
|
|
27
|
-
|
|
26
|
+
getPropagatorContext,
|
|
28
27
|
dataflow: { tracker }
|
|
29
28
|
}
|
|
30
29
|
} = core;
|
|
@@ -43,7 +42,7 @@ module.exports = function (core) {
|
|
|
43
42
|
isNaN(result) ||
|
|
44
43
|
!value ||
|
|
45
44
|
!isString(value) ||
|
|
46
|
-
!
|
|
45
|
+
!getPropagatorContext() ||
|
|
47
46
|
!tracker.getData(value)
|
|
48
47
|
) return;
|
|
49
48
|
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { isString, primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
|
|
20
19
|
const { patchType } = require('../../common');
|
|
21
20
|
const { excludeExtensionDotFromTags, createBasenameTagsInResult } = require('./common');
|
|
22
21
|
|
|
@@ -25,7 +24,7 @@ module.exports = function(core) {
|
|
|
25
24
|
depHooks,
|
|
26
25
|
patcher,
|
|
27
26
|
assess: {
|
|
28
|
-
|
|
27
|
+
getPropagatorContext,
|
|
29
28
|
eventFactory: { createPropagationEvent },
|
|
30
29
|
dataflow: { tracker },
|
|
31
30
|
},
|
|
@@ -33,7 +32,7 @@ module.exports = function(core) {
|
|
|
33
32
|
|
|
34
33
|
core.assess.dataflow.propagation.pathInstrumentation.basename = {
|
|
35
34
|
install() {
|
|
36
|
-
depHooks.resolve({ name: 'path' }, (path) => {
|
|
35
|
+
depHooks.resolve({ name: 'path', version: '*' }, (path) => {
|
|
37
36
|
for (const os of ['posix', 'win32']) {
|
|
38
37
|
const isWin32 = os === 'win32';
|
|
39
38
|
|
|
@@ -44,7 +43,7 @@ module.exports = function(core) {
|
|
|
44
43
|
post(data) {
|
|
45
44
|
const { args: origArgs, result, name, hooked, orig } = data;
|
|
46
45
|
|
|
47
|
-
if (!result || !
|
|
46
|
+
if (!result || !getPropagatorContext()) return;
|
|
48
47
|
|
|
49
48
|
const [pathStr, suffixStr] = origArgs;
|
|
50
49
|
|
|
@@ -15,7 +15,6 @@
|
|
|
15
15
|
|
|
16
16
|
'use strict';
|
|
17
17
|
const { isString } = require('@contrast/common');
|
|
18
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
|
|
19
18
|
const { patchType } = require('../../common');
|
|
20
19
|
const { createArgTagsInResult } = require('./common');
|
|
21
20
|
|
|
@@ -24,7 +23,7 @@ module.exports = function(core) {
|
|
|
24
23
|
depHooks,
|
|
25
24
|
patcher,
|
|
26
25
|
assess: {
|
|
27
|
-
|
|
26
|
+
getPropagatorContext,
|
|
28
27
|
eventFactory: { createPropagationEvent },
|
|
29
28
|
dataflow: { tracker },
|
|
30
29
|
},
|
|
@@ -32,7 +31,7 @@ module.exports = function(core) {
|
|
|
32
31
|
|
|
33
32
|
core.assess.dataflow.propagation.pathInstrumentation.dirname = {
|
|
34
33
|
install() {
|
|
35
|
-
depHooks.resolve({ name: 'path' }, (path) => {
|
|
34
|
+
depHooks.resolve({ name: 'path', version: '*' }, (path) => {
|
|
36
35
|
for (const os of ['posix', 'win32']) {
|
|
37
36
|
const isWin32 = os === 'win32';
|
|
38
37
|
|
|
@@ -43,7 +42,7 @@ module.exports = function(core) {
|
|
|
43
42
|
post(data) {
|
|
44
43
|
const { args, result, name, hooked, orig } = data;
|
|
45
44
|
|
|
46
|
-
if (!result || !
|
|
45
|
+
if (!result || !getPropagatorContext()) return;
|
|
47
46
|
|
|
48
47
|
const pathStr = args[0];
|
|
49
48
|
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
|
|
20
19
|
const { createSubsetTags } = require('../../../tag-utils');
|
|
21
20
|
const { patchType } = require('../../common');
|
|
22
21
|
const { excludeExtensionDotFromTags } = require('./common');
|
|
@@ -26,7 +25,7 @@ module.exports = function(core) {
|
|
|
26
25
|
depHooks,
|
|
27
26
|
patcher,
|
|
28
27
|
assess: {
|
|
29
|
-
|
|
28
|
+
getPropagatorContext,
|
|
30
29
|
eventFactory: { createPropagationEvent },
|
|
31
30
|
dataflow: { tracker },
|
|
32
31
|
},
|
|
@@ -34,7 +33,7 @@ module.exports = function(core) {
|
|
|
34
33
|
|
|
35
34
|
core.assess.dataflow.propagation.pathInstrumentation.extname = {
|
|
36
35
|
install() {
|
|
37
|
-
depHooks.resolve({ name: 'path' }, (path) => {
|
|
36
|
+
depHooks.resolve({ name: 'path', version: '*' }, (path) => {
|
|
38
37
|
for (const os of ['posix', 'win32']) {
|
|
39
38
|
const isWin32 = os === 'win32';
|
|
40
39
|
|
|
@@ -44,7 +43,7 @@ module.exports = function(core) {
|
|
|
44
43
|
usePerf: 'sync',
|
|
45
44
|
post(data) {
|
|
46
45
|
const { args, result, name, hooked, orig } = data;
|
|
47
|
-
if (!result || !
|
|
46
|
+
if (!result || !getPropagatorContext()) return;
|
|
48
47
|
|
|
49
48
|
const pathStr = args[0];
|
|
50
49
|
|
|
@@ -16,7 +16,6 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { primordials: { ArrayPrototypeJoin }, isString } = require('@contrast/common');
|
|
19
|
-
const { InstrumentationType: { PROPAGATOR } } = require('../../../../constants');
|
|
20
19
|
const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
|
|
21
20
|
const { patchType } = require('../../common');
|
|
22
21
|
const { createArgTagsInResult, excludeExtensionDotFromTags } = require('./common');
|
|
@@ -26,7 +25,7 @@ module.exports = function(core) {
|
|
|
26
25
|
depHooks,
|
|
27
26
|
patcher,
|
|
28
27
|
assess: {
|
|
29
|
-
|
|
28
|
+
getPropagatorContext,
|
|
30
29
|
eventFactory: { createPropagationEvent },
|
|
31
30
|
dataflow: { tracker },
|
|
32
31
|
},
|
|
@@ -34,7 +33,7 @@ module.exports = function(core) {
|
|
|
34
33
|
|
|
35
34
|
core.assess.dataflow.propagation.pathInstrumentation.format = {
|
|
36
35
|
install() {
|
|
37
|
-
depHooks.resolve({ name: 'path' }, (path) => {
|
|
36
|
+
depHooks.resolve({ name: 'path', version: '*' }, (path) => {
|
|
38
37
|
for (const os of ['posix', 'win32']) {
|
|
39
38
|
const isWin32 = os === 'win32';
|
|
40
39
|
|
|
@@ -44,7 +43,7 @@ module.exports = function(core) {
|
|
|
44
43
|
usePerf: 'sync',
|
|
45
44
|
post(data) {
|
|
46
45
|
const { args, result, name: patchName, hooked, orig } = data;
|
|
47
|
-
if (!result || !
|
|
46
|
+
if (!result || !getPropagatorContext()) return;
|
|
48
47
|
|
|
49
48
|
const pathProps = [];
|
|
50
49
|
const { dir, root, base, name, ext } = args[0];
|