npm - @contrast/assess - Versions diffs - 1.40.0 → 1.42.0 - Mend

@contrast/assess 1.40.0 → 1.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/lib/dataflow/sinks/install/postgres.test.js CHANGED Viewed

@@ -28,15 +28,9 @@ describe('assess dataflow sinks postgres', function () {
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
     reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    core.depHooks.resolve
-      .withArgs({ name: 'pg', file: 'lib/client.js' })
-      .yields(Client);
-    core.depHooks.resolve
-      .withArgs({ name: 'pg', file: 'lib/native/client.js' })
-      .yields(NativeClient);
-    core.depHooks.resolve.withArgs({ name: 'pg-pool' }).yields(Pool);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg', file: 'lib/client.js' })).yields(Client);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg', file: 'lib/native/client.js' })).yields(NativeClient);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg-pool' })).yields(Pool);
     require('./postgres')(core).install();
   });

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -28,7 +28,6 @@ const {
   isString,
   primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -45,7 +44,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -114,7 +113,7 @@ module.exports = function(core) {
     install() {
       // restify adds functionality to the built-in response via this patch function.
       // once it returns the request, it'll have been decorated with redirect() method.
-      depHooks.resolve({ name: 'restify', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
+      depHooks.resolve({ name: 'restify', version: '<12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
         name: 'restify.response.patch',
         patchType,
         post(data) {
@@ -122,7 +121,7 @@ module.exports = function(core) {
             patchType,
             name: 'restify.Response.redirect',
             pre(data) {
-              if (!getSourceContext(RULE, ruleId)) return;
+              if (!getSinkContext(ruleId)) return;
               let vulnArgIdx;
               let vulnArgIsString = true;

package/lib/dataflow/sinks/install/restify.test.js CHANGED Viewed

@@ -33,11 +33,9 @@ describe('assess dataflow restify sinks', function () {
       return new Response();
     };
-    core.depHooks.resolve
-      .withArgs({ name: 'restify', file: 'lib/response.js' })
-      .callsFake((desc, cb) => {
-        patchMock = cb(patch);
-      });
+    core.depHooks.resolve.callsFake((desc, cb) => {
+      patchMock = cb(patch);
+    });
     require('./restify')(core).install();
   });

package/lib/dataflow/sinks/install/sequelize.js CHANGED Viewed

@@ -25,7 +25,6 @@ const {
     CUSTOM_ENCODED,
   },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 /**
@@ -42,7 +41,7 @@ module.exports = function (core) {
     config,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -63,12 +62,12 @@ module.exports = function (core) {
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
   sequelize.install = function () {
-    depHooks.resolve({ name: 'sequelize' }, (sequelize) => {
+    depHooks.resolve({ name: 'sequelize', version: '<7' }, (sequelize) => {
       patcher.patch(sequelize.prototype, 'query', {
         name: 'sequelize.prototype.query',
         patchType,
         around(next, data) {
-          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return next();
+          if (!getSinkContext(ruleId) || !data.args[0]) return next();
           const { args, hooked, orig } = data;
           const query = typeof args[0] === 'string' ? args[0] : args[0].query;

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -27,7 +27,6 @@ const {
   Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const safeTags = [
   `excluded:${ruleId}`,
@@ -49,7 +48,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -60,7 +59,7 @@ module.exports = function(core) {
   const pre = (name, method) => (data) => {
     if (
-      !getSourceContext(RULE, ruleId) ||
+      !getSinkContext(ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
       isLocked(ruleId)
@@ -105,7 +104,7 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.sqlite3 = {
     install() {
-      depHooks.resolve({ name: 'sqlite3' }, sqlite3 => {
+      depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
         ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
           const name = `sqlite3.Database.prototype.${method}`;
           patcher.patch(sqlite3.Database.prototype, method, {

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -33,7 +33,6 @@ const {
   },
   traverseValues,
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAdjustedQueryTags } = require('../../tag-utils');
 const safeTags = [
@@ -58,7 +57,7 @@ module.exports = function (core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -144,7 +143,7 @@ module.exports = function (core) {
   }
   function around(next, { args: origArgs, hooked, orig, name }) {
-    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return next();
+    if (!getSinkContext(ruleId) || isLocked(ruleId)) return next();
     const methodPath = StringPrototypeSplit.call(name, '.');
     const method = methodPath[methodPath.length - 1];
@@ -250,7 +249,7 @@ module.exports = function (core) {
   core.assess.dataflow.sinks.vm = {
     install() {
-      depHooks.resolve({ name: 'vm' }, (vm) => {
+      depHooks.resolve({ name: 'vm', version: '*' }, (vm) => {
         [
           'Script',
           'createScript',

package/lib/dataflow/sources/install/body-parser1.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const METHODS = ['json', 'raw', 'text', 'urlencoded'];
@@ -39,10 +38,9 @@ module.exports = function init(core) {
   const preHook = (data) => {
     const [req, , next] = data.args;
     data.args[2] = scopes.wrap(function contrastNext(...args) {
-      const sourceContext = getSourceContext(SOURCE);
+      const sourceContext = getSourceContext();
       if (!sourceContext) {
-        logger.error({ funcKey: data.funcKey }, 'unable to handle source. Missing `sourceContext`');
         return next(...args);
       }
@@ -99,7 +97,7 @@ module.exports = function init(core) {
   core.assess.dataflow.sources.bodyParser1Instrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'body-parser', version: '>=1.0.0' },
+        { name: 'body-parser', version: '>=1 <2' },
         /** @param {import('body-parser').BodyParser} bodyParser */
         (bodyParser) => {
           bodyParser = patcher.patch(bodyParser, {

package/lib/dataflow/sources/install/body-parser1.test.js CHANGED Viewed

@@ -112,10 +112,8 @@ describe('assess dataflow sources body-parser v1', function () {
         middleware(req, res, next);
         expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-        expect(core.logger.error).to.have.been.calledWith(
-          { funcKey: 'assess-dataflow-source:body-parser.bodyParser' },
-          'unable to handle source. Missing `sourceContext`'
-        );
+        expect(core.logger.trace.callCount).greaterThan(0);
+        expect(core.logger.trace.lastCall.args[0]).includes('Assess intentionally disabled');
       }, { assess: { policy: null } });
     });
@@ -210,10 +208,8 @@ describe('assess dataflow sources body-parser v1', function () {
           middleware(req, res, next);
           expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-          expect(core.logger.error).to.have.been.calledWith(
-            { funcKey: `assess-dataflow-source:body-parser.${method}.${method}Parser` },
-            'unable to handle source. Missing `sourceContext`',
-          );
+          expect(core.logger.trace.callCount).greaterThan(0);
+          expect(core.logger.trace.lastCall.args[0]).includes('Assess intentionally disabled');
         }, { assess: { policy: null } });
       });

package/lib/dataflow/sources/install/busboy.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const inputType = InputType.MULTIPART_VALUE;
@@ -38,7 +37,7 @@ module.exports = (core) => {
   function createPreHook(finalEventName) {
     return function (data) {
       const { orig, hooked, funcKey } = data;
-      const sourceContext = getSourceContext(SOURCE);
+      const sourceContext = getSourceContext();
       if (!sourceContext) {
         return;
@@ -84,7 +83,7 @@ module.exports = (core) => {
   // Patch `busboy`
   function install() {
-    depHooks.resolve({ name, version: '<1.0.0' }, (busboy) => {
+    depHooks.resolve({ name, version: '<1' }, (busboy) => {
       patcher.patch(busboy.prototype, 'emit', {
         name: 'busboy.prototype.emit',
         patchType,
@@ -93,7 +92,7 @@ module.exports = (core) => {
     });
-    depHooks.resolve({ name, version: '>=1.0.0' }, (busboy) =>
+    depHooks.resolve({ name, version: '1' }, (busboy) =>
       patcher.patch(busboy, {
         name,
         patchType,

package/lib/dataflow/sources/install/busboy.test.js CHANGED Viewed

@@ -27,8 +27,8 @@ describe('assess dataflow sources busboy', function () {
     sinon.spy(sources, 'handle');
     busboyInstr(core).install();
-    core.depHooks.resolve.withArgs({ name: 'busboy', version: '<1.0.0' }).yield(mockBusboy0);
-    core.depHooks.resolve.withArgs({ name: 'busboy', version: '>=1.0.0' }).yield(mockBusboy1);
+    core.depHooks.resolve.withArgs({ name: 'busboy', version: '<1' }).yield(mockBusboy0);
+    core.depHooks.resolve.withArgs({ name: 'busboy', version: '1' }).yield(mockBusboy1);
     const patchedBusboy1 = core.patcher.patch.getCall(1).returnValue;
     emitMethodVersions = {

package/lib/dataflow/sources/install/cookie-parser1.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 module.exports = function init(core) {
@@ -25,7 +24,7 @@ module.exports = function init(core) {
   assess.dataflow.sources.cookieParser1Instrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'cookie-parser', version: '>=1.0.0' },
+        { name: 'cookie-parser', version: '>=1 <2' },
         /** @param {import('cookie-parser')} cookieParser */
         (cookieParser) =>
           patcher.patch(cookieParser, {
@@ -40,10 +39,9 @@ module.exports = function init(core) {
                   const { funcKey } = data;
                   const [req, , next] = data.args;
                   data.args[2] = function contrastNext(...args) {
-                    const sourceContext = assess.getSourceContext(SOURCE);
+                    const sourceContext = assess.getSourceContext();
                     if (!sourceContext) {
-                      logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
                       return next(...args);
                     }

package/lib/dataflow/sources/install/cookie-parser1.test.js CHANGED Viewed

@@ -74,10 +74,8 @@ describe('assess dataflow sources cookie-parser v1', function () {
       middleware(req, res, next);
       expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-      expect(core.logger.error).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:cookie-parser.cookieParser' },
-        'unable to handle source. Missing `sourceContext`',
-      );
+      expect(core.logger.trace.callCount).greaterThan(0);
+      expect(core.logger.trace.lastCall.args[0]).includes('Assess intentionally disabled');
     }, { assess: { policy: null } });
   });

package/lib/dataflow/sources/install/express/params.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function init(core) {
@@ -24,55 +23,74 @@ module.exports = function init(core) {
     logger,
     patcher,
     depHooks,
-    assess: { getSourceContext },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
+  function postHook(name) {
+    return function({ obj: layer, result, orig, hooked, funcKey }) {
+      // we can exit early if
+      //  the layer doesn't match the request or
+      //  the layer doesn't recognize any parameters
+      if (
+        !result ||
+        !layer.keys ||
+        layer.keys.length === 0
+      ) return;
+      const sourceContext = getSourceContext();
+      if (!sourceContext) return;
+      if (sourceContext.parsedParams) {
+        logger.trace({ funcKey }, 'values already tracked');
+        return;
+      }
+      try {
+        sources.handle({
+          context: 'req.params',
+          name,
+          inputType: InputType.PARAMETER_VALUE,
+          stacktraceOpts: {
+            constructorOpt: hooked,
+            prependFrames: [orig]
+          },
+          data: layer.params,
+          sourceContext
+        });
+        sourceContext.parsedParams = true;
+      } catch (err) {
+        logger.error({ err, funcKey }, 'unable to handle source');
+      }
+    };
+  }
   core.assess.dataflow.sources.expressInstrumentation.params = {
     install() {
       const name = 'Layer.prototype.match';
       depHooks.resolve(
-        { name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' },
+        { name: 'express', version: '>=4 <5', file: 'lib/router/layer.js' },
         (Layer) => {
           patcher.patch(Layer.prototype, 'match', {
             name,
             patchType,
-            post({ obj: layer, result, orig, hooked, funcKey }) {
-              // we can exit early if
-              //  the layer doesn't match the request or
-              //  the layer doesn't recognize any parameters
-              if (
-                !result ||
-                !layer.keys ||
-                layer.keys.length === 0
-              ) return;
-              const sourceContext = getSourceContext(SOURCE);
-              if (!sourceContext) return;
-              if (sourceContext.parsedParams) {
-                logger.trace({ funcKey }, 'values already tracked');
-                return;
-              }
-              try {
-                core.assess.dataflow.sources.handle({
-                  context: 'req.params',
-                  name,
-                  inputType: InputType.PARAMETER_VALUE,
-                  stacktraceOpts: {
-                    constructorOpt: hooked,
-                    prependFrames: [orig]
-                  },
-                  data: layer.params,
-                  sourceContext
-                });
-                sourceContext.parsedParams = true;
-              } catch (err) {
-                logger.error({ err, funcKey }, 'unable to handle source');
-              }
-            }
+            post: postHook(name)
           });
+          return Layer;
+        }
+      );
+      // Used by Express 5
+      depHooks.resolve(
+        { name: 'router', version: '>=2 <3', file: 'lib/layer.js' },
+        (Layer) => {
+          patcher.patch(Layer.prototype, 'match', {
+            name,
+            patchType,
+            post: postHook(name)
+          });
           return Layer;
         }
       );

package/lib/dataflow/sources/install/express/params.test.js CHANGED Viewed

@@ -8,96 +8,103 @@ const { InputType } = require('@contrast/common');
 describe('assess dataflow sources express params', function () {
   let core, simulateRequestScope, Layer, layer;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    sinon.stub(core.assess.dataflow.sources, 'handle');
-    const LayerMock = sinon.stub();
-    LayerMock.prototype.match = sinon.stub().returns(true);
-    require('./params')(core).install();
-    Layer = core.depHooks.resolve.yield(LayerMock)[0];
-    layer = { keys: ['foo'], params: { foo: 'bar' } };
-  });
+  [
+    { name: 'express', version: '>=4 <5', file: 'lib/router/layer.js' },
+    { name: 'router', version: '>=2 <3', file: 'lib/layer.js' }
+  ].forEach((args) => {
+    describe(`Express${args.name === 'express' ? '4' : '5'}`, function() {
+      beforeEach(function () {
+        ({ core, simulateRequestScope } = initAssessFixture());
+        sinon.stub(core.assess.dataflow.sources, 'handle');
+        const LayerMock = sinon.stub();
+        LayerMock.prototype.match = sinon.stub().returns(true);
+        require('./params')(core).install();
+        [Layer] = core.depHooks.resolve.withArgs(args).yield(LayerMock);
+        layer = { keys: ['foo'], params: { foo: 'bar' } };
+      });
-  it('calls `.handle` when `match` adds params (and keys) to the Layer instance', function () {
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, layer, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).to.have.been.calledWith({
-        context: 'req.params',
-        name: 'Layer.prototype.match',
-        inputType: InputType.PARAMETER_VALUE,
-        stacktraceOpts: {
-          constructorOpt: sinon.match.func,
-          prependFrames: sinon.match.array,
-        },
-        data: layer.params,
-        sourceContext: core.scopes.sources.getStore().assess
+      it('calls `.handle` when `match` adds params (and keys) to the Layer instance', function () {
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, layer, ['/bar']);
+          expect(core.assess.dataflow.sources.handle).to.have.been.calledWith({
+            context: 'req.params',
+            name: 'Layer.prototype.match',
+            inputType: InputType.PARAMETER_VALUE,
+            stacktraceOpts: {
+              constructorOpt: sinon.match.func,
+              prependFrames: sinon.match.array,
+            },
+            data: layer.params,
+            sourceContext: core.scopes.sources.getStore().assess
+          });
+        });
       });
-    });
-  });
-  it('does not call `.handle` when `match` returns false', function () {
-    Layer.prototype.match.returns(false);
+      it('does not call `.handle` when `match` returns false', function () {
+        Layer.prototype.match.returns(false);
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, layer, ['/bar']);
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, layer, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-    });
-  });
+          expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+        });
+      });
-  it('does not call `.handle` when the layer is missing the expected properties', function () {
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, {}, ['/bar']);
+      it('does not call `.handle` when the layer is missing the expected properties', function () {
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, {}, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-    });
-  });
+          expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+        });
+      });
-  it('does not call `.handle` when `match` adds no params or keys', function () {
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, { keys: [], params: {} }, ['/bar']);
+      it('does not call `.handle` when `match` adds no params or keys', function () {
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, { keys: [], params: {} }, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-    });
-  });
+          expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+        });
+      });
-  it('does not handle when there is no assess policy in request context', function () {
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, layer, ['/bar']);
+      it('does not handle when there is no assess policy in request context', function () {
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, layer, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-    }, { assess: { policy: null } });
-  });
+          expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+        }, { assess: { policy: null } });
+      });
-  it('does not call `.handle` when the values are already tracked', function () {
-    simulateRequestScope(() => {
-      core.scopes.sources.getStore().assess.parsedParams = true;
+      it('does not call `.handle` when the values are already tracked', function () {
+        simulateRequestScope(() => {
+          core.scopes.sources.getStore().assess.parsedParams = true;
-      Reflect.apply(Layer.prototype.match, layer, ['/bar']);
+          Reflect.apply(Layer.prototype.match, layer, ['/bar']);
-      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-      expect(core.logger.trace).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
-        'values already tracked'
-      );
-    });
-  });
+          expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+          expect(core.logger.trace).to.have.been.calledWith(
+            { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
+            'values already tracked'
+          );
+        });
+      });
-  it('handles a case with an error in the `.handle` method', function () {
-    const err = new Error('test');
-    core.assess.dataflow.sources.handle.throws(err);
+      it('handles a case with an error in the `.handle` method', function () {
+        const err = new Error('test');
+        core.assess.dataflow.sources.handle.throws(err);
-    simulateRequestScope(() => {
-      Reflect.apply(Layer.prototype.match, layer, ['/bar']);
+        simulateRequestScope(() => {
+          Reflect.apply(Layer.prototype.match, layer, ['/bar']);
-      expect(core.logger.error).to.have.been.calledWith(
-        { err, funcKey: 'assess-dataflow-source:Layer.prototype.match' },
-        'unable to handle source'
-      );
+          expect(core.logger.error).to.have.been.calledWith(
+            { err, funcKey: 'assess-dataflow-source:Layer.prototype.match' },
+            'unable to handle source'
+          );
+        });
+      });
     });
   });
 });