npm - @contrast/assess - Versions diffs - 1.44.0 → 1.46.0 - Mend

@contrast/assess 1.44.0 → 1.46.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/lib/dataflow/sources/install/graphql-http.test.js ADDED Viewed

@@ -0,0 +1,133 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { InputType } = require('@contrast/common');
+describe('assess dataflow sources graphql-http v1', function () {
+  let core, simulateRequestScope, createHandler, parseRequestParams, _exports;
+  this.beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    sinon.stub(core.assess.dataflow.sources, 'handle');
+    createHandler = sinon.stub().callsFake(({ parseRequestParams }) =>
+      sinon.stub().callsFake((req) => parseRequestParams(req)),
+    );
+    parseRequestParams = sinon.stub().resolves({ query: 'query { foo }' });
+    require('./graphql-http')(core).install();
+    _exports = core.depHooks.resolve.yield({ createHandler, parseRequestParams })[0];
+  });
+  describe('parseRequestParams', function () {
+    it('does not emit an event when the parser does not return a promise', function () {
+      parseRequestParams.returns(undefined);
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams();
+        expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+      });
+    });
+    it('does not emit an event when the parser does not resolve a result', function () {
+      parseRequestParams.resolves(undefined);
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams();
+        expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+      });
+    });
+    it('does not emit an event when outside of a source context', async function () {
+      await _exports.parseRequestParams();
+      expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+    });
+    it('does not emit an event when already parsed', function () {
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams();
+        expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
+        expect(core.logger.trace).to.have.been.calledWith(sinon.match.object, 'values already tracked');
+      }, { assess: { parsedBody: true } });
+    });
+    it('emits an event when handling a GET request', function () {
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams({ method: 'GET' });
+        expect(core.assess.dataflow.sources.handle).to.have.been.calledWithMatch({
+          name: 'graphql-http.parseRequestParams',
+          context: 'req.url',
+          inputType: InputType.PARAMETER_VALUE,
+          data: { query: 'query { foo }' },
+          keys: ['query'],
+          sourceContext: core.scopes.sources.getStore().assess,
+          stacktraceOpts: {
+            constructorOpt: sinon.match.func,
+            prependFrames: [sinon.match.func],
+          },
+        });
+      });
+    });
+    it('emits an event when handling a POST request', function () {
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams({ method: 'POST' });
+        expect(core.assess.dataflow.sources.handle).to.have.been.calledWithMatch({
+          name: 'graphql-http.parseRequestParams',
+          context: 'req.body',
+          inputType: InputType.JSON_VALUE,
+          data: { query: 'query { foo }' },
+          keys: ['query'],
+          sourceContext: core.scopes.sources.getStore().assess,
+          stacktraceOpts: {
+            constructorOpt: sinon.match.func,
+            prependFrames: [sinon.match.func],
+          },
+        });
+      });
+    });
+    it('handles errors when emitting', function () {
+      const err = new Error('test');
+      core.assess.dataflow.sources.handle.throws(err);
+      return simulateRequestScope(async () => {
+        await _exports.parseRequestParams({ method: 'POST' });
+        expect(core.logger.error).to.have.been.calledWith(sinon.match.object, 'unable to handle source');
+      });
+    });
+  });
+  describe('createHandler', function () {
+    it('provides the patched default when no parseRequestParams is provided', function () {
+      const handler = _exports.createHandler({ schema: {} });
+      const req = { method: 'POST' };
+      return simulateRequestScope(async () => {
+        await handler(req);
+        expect(parseRequestParams).to.have.been.calledWith(req);
+        expect(core.assess.dataflow.sources.handle).to.have.been.called;
+      });
+    });
+    it('patches a provided parseRequestParams function', function () {
+      const newParseRequestParams = sinon.stub().resolves({ query: 'query SomethingElse { bar } ' });
+      const handler = _exports.createHandler({ schema: {}, parseRequestParams: newParseRequestParams });
+      const req = { method: 'GET' };
+      return simulateRequestScope(async () => {
+        await handler(req);
+        expect(parseRequestParams).not.to.have.been.called;
+        expect(newParseRequestParams).to.have.been.calledWith(req);
+        expect(core.assess.dataflow.sources.handle).to.have.been.calledWithMatch({
+          data: { query: 'query SomethingElse { bar } ' }
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sources/install/hapi/hapi.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/hapi/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa-multer.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa-routers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/koa/koa2.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/multer1.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/restify/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/restify/jsonBodyParser.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/sources/install/restify/router.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/utils/is-safe-content-type.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/utils/is-vulnerable.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/event-factory.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/get-policy.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/get-source-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/make-source-context.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/rule-scopes.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/sampler/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/sampler/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/common.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/handlers.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/install/express-session.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/install/fastify-cookie.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/install/hapi.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/install/koa.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2024 Contrast Security, Inc
+ * Copyright: 2025 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.44.0",
+  "version": "1.46.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,17 +17,17 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.29.0",
-    "@contrast/config": "1.39.0",
-    "@contrast/core": "1.44.0",
-    "@contrast/dep-hooks": "1.13.0",
+    "@contrast/common": "1.29.1",
+    "@contrast/config": "1.40.1",
+    "@contrast/core": "1.45.1",
+    "@contrast/dep-hooks": "1.14.1",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.23.0",
-    "@contrast/logger": "1.17.0",
-    "@contrast/patcher": "1.16.0",
-    "@contrast/rewriter": "1.20.0",
-    "@contrast/route-coverage": "1.34.0",
-    "@contrast/scopes": "1.14.0",
+    "@contrast/instrumentation": "1.24.1",
+    "@contrast/logger": "1.18.1",
+    "@contrast/patcher": "1.17.1",
+    "@contrast/rewriter": "1.21.1",
+    "@contrast/route-coverage": "1.35.1",
+    "@contrast/scopes": "1.15.1",
     "semver": "^7.6.0"
   }
 }