npm - @contrast/assess - Versions diffs - 1.41.0 → 1.42.0 - Mend

@contrast/assess 1.41.0 → 1.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -28,7 +28,6 @@ const {
   },
   Rule: { UNSAFE_CODE_EXECUTION: ruleId }
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
@@ -47,7 +46,7 @@ module.exports = function (core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -67,7 +66,7 @@ module.exports = function (core) {
         name: 'global.ContrastMethods.Function',
         patchType,
         pre({ args: origArgs, hooked, orig, name }) {
-          if (!getSourceContext(RULE, ruleId)) return;
+          if (!getSinkContext(ruleId)) return;
           const fnBody = origArgs[origArgs.length - 1];
           if (!fnBody || !isString(fnBody)) return;

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js CHANGED Viewed

@@ -27,7 +27,6 @@ const {
   },
   isString
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { patchType, filterSafeTags } = require('../../common');
 const { createSubsetTags } = require('../../../tag-utils');
@@ -46,7 +45,7 @@ module.exports = function(core) {
     config,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -67,13 +66,13 @@ module.exports = function(core) {
   ];
   unvalidatedRedirect.install = function() {
-    depHooks.resolve({ name: '@hapi/hapi', file: 'lib/response' }, (Response) => {
+    depHooks.resolve({ name: '@hapi/hapi', version: '>=18 <22', file: 'lib/response' }, (Response) => {
       const name = 'hapi.Response.prototype.redirect';
       patcher.patch(Response.prototype, 'redirect', {
         name,
         patchType,
         pre: (data) => {
-          if (!getSourceContext(RULE, ruleId)) return;
+          if (!getSinkContext(ruleId)) return;
           const [url] = data.args;
           if (!url || !isString(url)) return;

package/lib/dataflow/sinks/install/http/request.js CHANGED Viewed

@@ -29,7 +29,6 @@ const {
   Rule: { SSRF: ruleId },
   primordials: { RegExpPrototypeExec }
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createAppendTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -47,7 +46,7 @@ module.exports = function(core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -96,14 +95,14 @@ module.exports = function(core) {
   http.install = function() {
     ['http', 'https'].forEach((moduleName) => {
-      depHooks.resolve({ name: moduleName }, (module) => {
+      depHooks.resolve({ name: moduleName, version: '*' }, (module) => {
         const name = `${moduleName}.request`;
         const methodName = 'request';
         patcher.patch(module, methodName, {
           name,
           patchType,
           pre(data) {
-            if (!getSourceContext(RULE, ruleId)) return;
+            if (!getSinkContext(ruleId)) return;
             // url <string> |<URL>
             const [urlArg] = data.args;

package/lib/dataflow/sinks/install/http/request.test.js CHANGED Viewed

@@ -47,8 +47,8 @@ const getReq = function (strOrObj, key, trackedString) {
       core.assess.dataflow.propagation.stringInstrumentation.substring.install();
       core.assess.dataflow.propagation.stringInstrumentation.split.install();
       core.assess.dataflow.propagation.urlInstrumentation.url.install();
-      core.depHooks.resolve.withArgs({ name: 'url' }).yield(require('url'));
-      core.depHooks.resolve.withArgs({ name: module }).yields(modules[module]);
+      core.depHooks.resolve.withArgs(sinon.match({ name: 'url' })).yield(require('url'));
+      core.depHooks.resolve.withArgs(sinon.match({ name: module })).yields(modules[module]);
       require('./request')(core).install();
     });

package/lib/dataflow/sinks/install/http/server-response.js CHANGED Viewed

@@ -31,7 +31,6 @@ const {
   },
   Rule: { REFLECTED_XSS: ruleId },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { patchType, filterSafeTags } = require('../../common');
@@ -48,7 +47,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -80,7 +79,7 @@ module.exports = function(core) {
   const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => {
     const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`;
     const name = `${moduleName}.${methodName}`;
-    const sourceContext = getSourceContext(RULE, ruleId);
+    const sourceContext = getSinkContext(ruleId);
     if (!sourceContext) return;
     const payload = args[0];
@@ -140,7 +139,7 @@ module.exports = function(core) {
   };
   http.install = function() {
-    depHooks.resolve({ name: 'http' }, (http) => {
+    depHooks.resolve({ name: 'http', version: '*' }, (http) => {
       {
         const method = 'write';
         patcher.patch(http.ServerResponse.prototype, method, {
@@ -158,7 +157,7 @@ module.exports = function(core) {
         });
       }
     });
-    depHooks.resolve({ name: 'http2' }, (http2) => {
+    depHooks.resolve({ name: 'http2', version: '*' }, (http2) => {
       {
         const method = 'write';
         patcher.patch(http2.Http2ServerResponse.prototype, method, {
@@ -176,7 +175,7 @@ module.exports = function(core) {
         });
       }
     });
-    depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => {
+    depHooks.resolve({ name: 'spdy', version: '<5', file: 'lib/spdy/response.js' }, (response) => {
       {
         const method = 'end';
         patcher.patch(response, method, {

package/lib/dataflow/sinks/install/http/server-response.test.js CHANGED Viewed

@@ -36,9 +36,9 @@ describe('assess dataflow sinks http, http2, spdy', function () {
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
     reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    core.depHooks.resolve.withArgs({ name: 'http' }).yields({ ServerResponse });
-    core.depHooks.resolve.withArgs({ name: 'http2' }).yields({ Http2ServerResponse });
-    core.depHooks.resolve.withArgs({ name: 'spdy', file: 'lib/spdy/response.js' }).yields(response);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'http' })).yields({ ServerResponse });
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'http2' })).yields({ Http2ServerResponse });
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'spdy' })).yields(response);
     require('./server-response')(core).install();
   });

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js CHANGED Viewed

@@ -27,7 +27,6 @@ const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   isString
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../../constants');
 const { createSubsetTags } = require('../../../tag-utils');
 const { filterSafeTags, patchType } = require('../../common');
@@ -47,7 +46,7 @@ module.exports = function(core) {
     config,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -69,13 +68,13 @@ module.exports = function(core) {
   const unvalidatedRedirect = core.assess.dataflow.sinks.koa.unvalidatedRedirect = {};
   unvalidatedRedirect.install = function() {
-    depHooks.resolve({ name: 'koa', file: 'lib/response', version: '<2.9.0' }, (Response) => {
+    depHooks.resolve({ name: 'koa', version: '<2.9.0', file: 'lib/response' }, (Response) => {
       const name = 'Koa.Response.redirect';
       patcher.patch(Response, 'redirect', {
         name,
         patchType,
         pre(data) {
-          if (!getSourceContext(RULE, ruleId)) return;
+          if (!getSinkContext(ruleId)) return;
           let isBackRoute = false;
           let [url] = data.args;

package/lib/dataflow/sinks/install/libxmljs.js CHANGED Viewed

@@ -24,7 +24,6 @@ const {
     LIMITED_CHARS,
   },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 const safeTags = [
@@ -48,7 +47,7 @@ module.exports = function(core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -71,7 +70,7 @@ module.exports = function(core) {
         name: `${moduleName}.${method}`,
         patchType,
         pre(data) {
-          if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
+          if (!getSinkContext(ruleId) || !data.args[0]) return;
           const [xmlString, opts] = data.args;
@@ -122,11 +121,11 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.libxmljs = {
     install() {
       // libxmljs changed its API in version 1.0.0
-      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler('libxmljs', true));
+      depHooks.resolve({ name: 'libxmljs', version: '>=1 <2' }, handler('libxmljs', true));
       // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
       depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler('libxmljs', false));
-      depHooks.resolve({ name: 'libxmljs2' }, handler('libxmljs2', false));
+      depHooks.resolve({ name: 'libxmljs2', version: '<1' }, handler('libxmljs2', false));
     },
   };

package/lib/dataflow/sinks/install/libxmljs.test.js CHANGED Viewed

@@ -34,11 +34,11 @@ describe('assess dataflow sinks libxmljs', function () {
       .yields(modules['libxmljs@0']);
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs', version: '>=1' })
+      .withArgs({ name: 'libxmljs', version: '>=1 <2' })
       .yields(modules['libxmljs@1']);
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs2' })
+      .withArgs(sinon.match({ name: 'libxmljs2' }))
       .yields(modules['libxmljs2']);
     require('./libxmljs')(core).install();

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -25,7 +25,6 @@ const {
     CUSTOM_VALIDATED_NOSQL_INJECTION,
   },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 const collectionMethods = ['find', 'findOne', 'update', 'remove'];
@@ -51,7 +50,7 @@ module.exports = function (core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -90,7 +89,7 @@ module.exports = function (core) {
       name,
       patchType,
       around(next, data) {
-        if (!getSourceContext(RULE, ruleId)) return next();
+        if (!getSinkContext(ruleId)) return next();
         const argIdx = 0;
         const result = getVulnerabilityInfo(data.args[argIdx]);
@@ -134,7 +133,7 @@ module.exports = function (core) {
   }
   instr.install = function () {
-    depHooks.resolve({ name: 'marsdb' }, (marsdb) => {
+    depHooks.resolve({ name: 'marsdb', version: '<1' }, (marsdb) => {
       collectionMethods.forEach((method) => patchCollection(marsdb, method));
     });
   };

package/lib/dataflow/sinks/install/marsdb.test.js CHANGED Viewed

@@ -30,7 +30,7 @@ describe('assess dataflow marsdb', function () {
       core.assess.eventFactory,
       'createSinkEvent'
     );
-    core.depHooks.resolve.withArgs({ name: 'marsdb' }).yields({ Collection });
+    core.depHooks.resolve.yields({ Collection });
     instr = require('./marsdb')(core);
     instr.install();
@@ -142,7 +142,7 @@ describe('assess dataflow marsdb', function () {
   });
 });
-describe('installing marsdb', function () {
+describe('assess dataflow marsdb installation', function () {
   let core, instr;
   it('should log trace error if the method does not exist', function () {
@@ -153,7 +153,7 @@ describe('installing marsdb', function () {
     }
     ({ core } = initAssessFixture());
-    core.depHooks.resolve.withArgs({ name: 'marsdb' }).yields({ Collection });
+    core.depHooks.resolve.yields({ Collection });
     instr = require('./marsdb')(core);
     instr.install();

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -29,7 +29,6 @@ const {
   traverseValues,
   isString,
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
 const { patchType, filterSafeTags } = require('../common');
@@ -83,7 +82,7 @@ module.exports = function (core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -282,7 +281,7 @@ module.exports = function (core) {
   function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
     return function (next, data) {
-      if (!getSourceContext(RULE, ruleId)) return next();
+      if (!getSinkContext(ruleId)) return next();
       const { obj, args: origArgs } = data;
       const safeReports = [];
@@ -372,7 +371,7 @@ module.exports = function (core) {
   }
   instr.install = function () {
-    depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
+    depHooks.resolve({ name: 'mongodb', version: '<7' }, (mongodb, version) => {
       patchCollection(mongodb, version);
       patchDatabase(mongodb, version);
     });

package/lib/dataflow/sinks/install/mongodb.test.js CHANGED Viewed

@@ -42,9 +42,7 @@ describe('assess dataflow sinks mongodb-v4', function () {
   beforeEach(function () {
     ({ core, simulateRequestScope, trackString } = initAssessFixture());
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    core.depHooks.resolve
-      .withArgs({ name: 'mongodb' })
-      .yields({ Collection, Db });
+    core.depHooks.resolve.yields({ Collection, Db });
     // while the Assess fixture will have already composed the module, we re-require (which
     // just reassigns the component) so we're able to inject the spied-upon functions above
@@ -536,9 +534,7 @@ describe('assess dataflow sinks mongodb-v4', function () {
       class Db {
         command() { }
       }
-      core.depHooks.resolve
-        .withArgs({ name: 'mongodb' })
-        .yields({ Collection, Db }, 'v5.x.x');
+      core.depHooks.resolve.yields({ Collection, Db }, 'v5.x.x');
       const instr = require('./mongodb')(core);
       instr.install();

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -26,7 +26,6 @@ const {
   Rule: { SQL_INJECTION: ruleId },
   isString
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
@@ -51,7 +50,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -62,7 +61,7 @@ module.exports = function(core) {
   const pre = (name, method, obj, version) => (data) => {
     if (
-      !getSourceContext(RULE, ruleId) ||
+      !getSinkContext(ruleId) ||
       !data.args[0] ||
       !isString(data.args[0]) ||
       isLocked(ruleId)
@@ -118,7 +117,7 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.mssql = {
     install() {
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/prepared-statement.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/prepared-statement.js' },
         (PreparedStatement, version) => {
           patcher.patch(PreparedStatement.prototype, 'prepare', {
             name: 'PreparedStatement.prototype.prepare',
@@ -134,7 +133,7 @@ module.exports = function(core) {
       );
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/request.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/request.js' },
         (Request, version) => {
           patcher.patch(Request.prototype, 'batch', {
             name: 'Request.prototype.batch',

package/lib/dataflow/sinks/install/mssql.test.js CHANGED Viewed

@@ -26,11 +26,11 @@ describe('assess dataflow sinks mssql', function () {
     reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/prepared-statement.js' })
+      .withArgs(sinon.match({ name: 'mssql', file: 'lib/base/prepared-statement.js' }))
       .yields(PreparedStatement);
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/request.js' })
+      .withArgs(sinon.match({ name: 'mssql', file: 'lib/base/request.js' }))
       .yields(Request);
     require('./mssql')(core).install();

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -29,7 +29,6 @@ const {
   },
   isString,
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const safeTags = [
   `excluded:${ruleId}`,
@@ -54,7 +53,7 @@ module.exports = function(core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -75,7 +74,7 @@ module.exports = function(core) {
   const pre = (module, file, obj, method) => (data) => {
     if (
-      !getSourceContext(RULE, ruleId) ||
+      !getSinkContext(ruleId) ||
       !data.args[0] ||
       isLocked(ruleId)
     ) return;
@@ -123,7 +122,7 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.mysql = {
     install() {
       depHooks.resolve(
-        { name: 'mysql', file: 'lib/Connection' },
+        { name: 'mysql', version: '<3', file: 'lib/Connection' },
         (Connection) => {
           patcher.patch(Connection.prototype, 'query', {
             name: 'Connection.prototype.query',
@@ -133,7 +132,7 @@ module.exports = function(core) {
         },
       );
       depHooks.resolve(
-        { name: 'mysql2', file: 'lib/connection' },
+        { name: 'mysql2', version: '<4', file: 'lib/connection' },
         (connection) => {
           ['query', 'execute'].forEach((method) => {
             patcher.patch(connection.prototype, `${method}`, {

package/lib/dataflow/sinks/install/mysql.test.js CHANGED Viewed

@@ -19,17 +19,8 @@ describe('assess dataflow sinks mysql', function () {
     tracker = core.assess.dataflow.tracker;
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    core.depHooks.resolve
-      .withArgs({ name: 'mysql', file: 'lib/Connection' })
-      .yields(Connection);
-    core.depHooks.resolve
-      .withArgs({ name: 'mysql2', file: 'lib/connection' })
-      .yields(connection);
-    core.depHooks.resolve
-      .withArgs({ name: 'mysql2', file: 'lib/connection' })
-      .yields(connection);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'mysql' })).yields(Connection);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'mysql2' })).yields(connection);
     require('./mysql')(core).install();
   });

package/lib/dataflow/sinks/install/node-serialize.js CHANGED Viewed

@@ -22,7 +22,6 @@ const {
     UNTRUSTED
   }
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
 const safeTags = [`excluded:${ruleId}`];
@@ -39,7 +38,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -50,12 +49,12 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.nodeSerialize = {
     install() {
-      depHooks.resolve({ name: 'node-serialize' }, (nodeSerialize) => {
+      depHooks.resolve({ name: 'node-serialize', version: '<1' }, (nodeSerialize) => {
         patcher.patch(nodeSerialize, 'unserialize', {
           name: 'node-serialize.unserialize',
           patchType,
           pre(data) {
-            if (!getSourceContext(RULE, ruleId) || !data.args[0]) return;
+            if (!getSinkContext(ruleId) || !data.args[0]) return;
             const [input] = data.args;
             if (!isString(input)) return;

package/lib/dataflow/sinks/install/node-serialize.test.js CHANGED Viewed

@@ -13,9 +13,7 @@ describe('assess dataflow sinks node-serialize', function () {
     ({ core, simulateRequestScope, trackString } = initAssessFixture());
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    core.depHooks.resolve
-      .withArgs({ name: 'node-serialize' })
-      .yields(serialize);
+    core.depHooks.resolve.yields(serialize);
     require('./node-serialize')(core).install();

package/lib/dataflow/sinks/install/postgres.js CHANGED Viewed

@@ -26,7 +26,6 @@ const {
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { filterSafeTags, patchType } = require('../common');
 /**
@@ -43,7 +42,7 @@ module.exports = function(core) {
     patcher,
     assess: {
       inspect, // TODO NODE-3455: remove
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -63,7 +62,7 @@ module.exports = function(core) {
   const postgres = core.assess.dataflow.sinks.postgres = {};
   const preHook = (methodSignature) => (data) => {
-    if (!getSourceContext(RULE, ruleId) || isLocked(ruleId)) return;
+    if (!getSinkContext(ruleId) || isLocked(ruleId)) return;
     const [arg0] = data.args;
     const query = arg0?.text || arg0;
@@ -126,7 +125,7 @@ module.exports = function(core) {
   postgres.install = function() {
     const pgClientQueryPatchName = 'pg.Client.prototype.query';
     depHooks.resolve(
-      { name: 'pg', file: 'lib/client.js' },
+      { name: 'pg', version: '<9', file: 'lib/client.js' },
       (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgClientQueryPatchName,
@@ -138,7 +137,7 @@ module.exports = function(core) {
     const pgNativeClientQueryPatchName = 'pg.native.Client.prototype.query';
     depHooks.resolve(
-      { name: 'pg', file: 'lib/native/client.js' },
+      { name: 'pg', version: '<9', file: 'lib/native/client.js' },
       (client) => {
         patcher.patch(client.prototype, 'query', {
           name: pgNativeClientQueryPatchName,
@@ -148,7 +147,7 @@ module.exports = function(core) {
       },
     );
-    depHooks.resolve({ name: 'pg-pool' }, (pool) => {
+    depHooks.resolve({ name: 'pg-pool', version: '<4' }, (pool) => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,

package/lib/dataflow/sinks/install/postgres.test.js CHANGED Viewed

@@ -28,15 +28,9 @@ describe('assess dataflow sinks postgres', function () {
     reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
     reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    core.depHooks.resolve
-      .withArgs({ name: 'pg', file: 'lib/client.js' })
-      .yields(Client);
-    core.depHooks.resolve
-      .withArgs({ name: 'pg', file: 'lib/native/client.js' })
-      .yields(NativeClient);
-    core.depHooks.resolve.withArgs({ name: 'pg-pool' }).yields(Pool);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg', file: 'lib/client.js' })).yields(Client);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg', file: 'lib/native/client.js' })).yields(NativeClient);
+    core.depHooks.resolve.withArgs(sinon.match({ name: 'pg-pool' })).yields(Pool);
     require('./postgres')(core).install();
   });

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -28,7 +28,6 @@ const {
   isString,
   primordials: { ArrayPrototypeJoin },
 } = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
 const { createAppendTags } = require('../../tag-utils');
 const { patchType } = require('../common');
@@ -45,7 +44,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
-      getSourceContext,
+      getSinkContext,
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
@@ -114,7 +113,7 @@ module.exports = function(core) {
     install() {
       // restify adds functionality to the built-in response via this patch function.
       // once it returns the request, it'll have been decorated with redirect() method.
-      depHooks.resolve({ name: 'restify', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
+      depHooks.resolve({ name: 'restify', version: '<12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
         name: 'restify.response.patch',
         patchType,
         post(data) {
@@ -122,7 +121,7 @@ module.exports = function(core) {
             patchType,
             name: 'restify.Response.redirect',
             pre(data) {
-              if (!getSourceContext(RULE, ruleId)) return;
+              if (!getSinkContext(ruleId)) return;
               let vulnArgIdx;
               let vulnArgIsString = true;