@contrast/assess 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/lib/dataflow/event-factory.js +10 -5
  2. package/lib/dataflow/propagation/index.js +1 -0
  3. package/lib/dataflow/propagation/install/contrast-methods/string.js +5 -1
  4. package/lib/dataflow/propagation/install/decode-uri-component.js +5 -2
  5. package/lib/dataflow/propagation/install/ejs/escape-xml.js +5 -2
  6. package/lib/dataflow/propagation/install/encode-uri-component.js +5 -2
  7. package/lib/dataflow/propagation/install/escape-html.js +7 -4
  8. package/lib/dataflow/propagation/install/escape.js +5 -2
  9. package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +5 -2
  10. package/lib/dataflow/propagation/install/mysql-connection-escape.js +5 -2
  11. package/lib/dataflow/propagation/install/pug-runtime-escape.js +5 -2
  12. package/lib/dataflow/propagation/install/querystring/parse.js +8 -3
  13. package/lib/dataflow/propagation/install/sequelize.js +310 -0
  14. package/lib/dataflow/propagation/install/sql-template-strings.js +5 -4
  15. package/lib/dataflow/propagation/install/string/match.js +2 -2
  16. package/lib/dataflow/propagation/install/string/replace.js +13 -4
  17. package/lib/dataflow/propagation/install/unescape.js +5 -2
  18. package/lib/dataflow/propagation/install/validator/methods.js +60 -51
  19. package/lib/dataflow/sinks/common.js +10 -1
  20. package/lib/dataflow/sinks/index.js +34 -1
  21. package/lib/dataflow/sinks/install/child-process.js +150 -13
  22. package/lib/dataflow/sinks/install/express/index.js +29 -0
  23. package/lib/dataflow/sinks/install/express/unvalidated-redirect.js +134 -0
  24. package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js +113 -75
  25. package/lib/dataflow/sinks/install/fs.js +136 -0
  26. package/lib/dataflow/sinks/install/http.js +46 -17
  27. package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js +50 -17
  28. package/lib/dataflow/sinks/install/marsdb.js +135 -0
  29. package/lib/dataflow/sinks/install/mongodb.js +322 -0
  30. package/lib/dataflow/sinks/install/mssql.js +19 -10
  31. package/lib/dataflow/sinks/install/mysql.js +138 -0
  32. package/lib/dataflow/sinks/install/postgres.js +37 -23
  33. package/lib/dataflow/sinks/install/sequelize.js +142 -0
  34. package/lib/dataflow/sinks/install/sqlite3.js +20 -10
  35. package/lib/dataflow/sources/handler.js +14 -9
  36. package/lib/dataflow/sources/index.js +4 -1
  37. package/lib/dataflow/sources/install/body-parser1.js +120 -0
  38. package/lib/dataflow/sources/install/cookie-parser1.js +101 -0
  39. package/lib/dataflow/sources/install/express/index.js +28 -0
  40. package/package.json +3 -3
package/lib/dataflow/event-factory.js CHANGED
@@ -166,17 +166,22 @@ module.exports = function(core) {
166
166
 
167
167
  const sourceContext = sources.getStore()?.assess;
168
168
  if (!sourceContext) {
169
- logger.debug('No sourceContext found during Sink event creation');
169
+ logger.debug('no sourceContext found during sink event creation');
170
170
  return null;
171
171
  }
172
-
173
172
  const signature = signatures.get(name);
173
+ if (!signature) {
174
+ logger.debug({ name }, 'no signature found for sink event name');
175
+ return null;
176
+ }
177
+ if (!history.length) {
178
+ logger.debug({ data }, 'empty history for sink event');
179
+ return null;
180
+ }
174
181
  if (
175
- !signature ||
176
- !history.length ||
177
182
  ((source && !source.match(annotationRegExp)) || (!source && !signature.source))
178
183
  ) {
179
- logger.debug({ data }, 'Wrong sink event data submited. Sink event not created');
184
+ logger.debug({ data }, 'malformed or missing sink event source field');
180
185
  return null;
181
186
  }
182
187
 
package/lib/dataflow/propagation/index.js CHANGED
@@ -37,6 +37,7 @@ module.exports = function(core) {
37
37
  require('./install/sql-template-strings')(core);
38
38
  require('./install/unescape')(core);
39
39
  require('./install/querystring')(core);
40
+ require('./install/sequelize')(core);
40
41
 
41
42
  propagation.install = function() {
42
43
  callChildComponentMethodsSync(propagation, 'install');
package/lib/dataflow/propagation/install/contrast-methods/string.js CHANGED
@@ -22,7 +22,9 @@ module.exports = function(core) {
22
22
  scopes: { sources, instrumentation },
23
23
  patcher,
24
24
  assess: {
25
- dataflow: { tracker }
25
+ dataflow: {
26
+ tracker
27
+ },
26
28
  }
27
29
  } = core;
28
30
 
@@ -36,6 +38,7 @@ module.exports = function(core) {
36
38
 
37
39
  const arg = data.args[0];
38
40
  let argInfo = tracker.getData(arg);
41
+ if (tracker.getData(data.result)) return;
39
42
 
40
43
  if (data.obj && !argInfo) {
41
44
  argInfo = tracker.getData(data.result.toString());
@@ -46,6 +49,7 @@ module.exports = function(core) {
46
49
  }
47
50
 
48
51
  const { extern } = tracker.track(data.result, argInfo);
52
+
49
53
  if (extern) {
50
54
  data.result = extern;
51
55
  }
package/lib/dataflow/propagation/install/decode-uri-component.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { URL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -47,7 +50,7 @@ module.exports = function(core) {
47
50
  // the result is not tracked, so we don't need to check for that
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
- delete newTags['url-encoded'];
53
+ delete newTags[URL_ENCODED];
51
54
 
52
55
  if (!Object.keys(newTags).length) return;
53
56
 
@@ -64,7 +67,7 @@ module.exports = function(core) {
64
67
  args: [{ value: argInfo.value, tracked: true }],
65
68
  tags: newTags,
66
69
  history,
67
- removedTags: ['url-encoded'],
70
+ removedTags: [URL_ENCODED],
68
71
  stacktraceOpts: {
69
72
  constructorOpt: hooked,
70
73
  prependFrames: [orig]
package/lib/dataflow/propagation/install/ejs/escape-xml.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { WEAK_URL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
53
 
51
- newTags['weak-url-encoded'] = [0, result.length - 1];
54
+ newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
52
55
 
53
56
  const event = createPropagationEvent({
54
57
  name: 'ejs.utils.escapeXML',
@@ -62,7 +65,7 @@ module.exports = function(core) {
62
65
  },
63
66
  args: [{ value: argInfo.value, tracked: true }],
64
67
  tags: newTags,
65
- addedTags: ['weak-url-encoded'],
68
+ addedTags: [WEAK_URL_ENCODED],
66
69
  history,
67
70
  stacktraceOpts: {
68
71
  constructorOpt: hooked,
package/lib/dataflow/propagation/install/encode-uri-component.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { URL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
53
 
51
- newTags['url-encoded'] = [0, result.length - 1];
54
+ newTags[URL_ENCODED] = [0, result.length - 1];
52
55
 
53
56
  const event = createPropagationEvent({
54
57
  name: 'global.encodeURIComponent',
@@ -63,7 +66,7 @@ module.exports = function(core) {
63
66
  args: [{ value: argInfo.value, tracked: true }],
64
67
  tags: newTags,
65
68
  history,
66
- addedTags: ['url-encoded'],
69
+ addedTags: [URL_ENCODED],
67
70
  stacktraceOpts: {
68
71
  constructorOpt: hooked,
69
72
  prependFrames: [orig]
package/lib/dataflow/propagation/install/escape-html.js CHANGED
@@ -15,10 +15,13 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { HTML_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
21
- const { patchType, createModuleLabel } = require('../common');
24
+ const { patchType } = require('../common');
22
25
 
23
26
  module.exports = function(core) {
24
27
  const {
@@ -48,12 +51,12 @@ module.exports = function(core) {
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
53
 
51
- newTags['html-encoded'] = [0, result.length - 1];
54
+ newTags[HTML_ENCODED] = [0, result.length - 1];
52
55
 
53
56
  const event = createPropagationEvent({
54
57
  name: 'escape-html',
55
58
  object: {
56
- value: createModuleLabel('escape-html', version),
59
+ value: 'escape-html',
57
60
  tracked: false
58
61
  },
59
62
  result: {
@@ -63,7 +66,7 @@ module.exports = function(core) {
63
66
  args: [{ value: argInfo.value, tracked: true }],
64
67
  tags: newTags,
65
68
  history,
66
- addedTags: ['html-encoded'],
69
+ addedTags: [HTML_ENCODED],
67
70
  stacktraceOpts: {
68
71
  constructorOpt: hooked,
69
72
  prependFrames: [orig]
package/lib/dataflow/propagation/install/escape.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { WEAK_URL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -46,7 +49,7 @@ module.exports = function(core) {
46
49
  const history = [argInfo];
47
50
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
48
51
 
49
- newTags['weak-url-encoded'] = [0, result.length - 1];
52
+ newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
50
53
 
51
54
  const event = createPropagationEvent({
52
55
  name: 'global.escape',
@@ -61,7 +64,7 @@ module.exports = function(core) {
61
64
  args: [{ value: argInfo.value, tracked: true }],
62
65
  tags: newTags,
63
66
  history,
64
- addedTags: ['weak-url-encoded'],
67
+ addedTags: [WEAK_URL_ENCODED],
65
68
  stacktraceOpts: {
66
69
  constructorOpt: hooked,
67
70
  prependFrames: [orig]
package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { HTML_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
53
 
51
- newTags['html-encoded'] = [0, result.length - 1];
54
+ newTags[HTML_ENCODED] = [0, result.length - 1];
52
55
 
53
56
  const event = createPropagationEvent({
54
57
  name: 'handlebars.Utils.escapeExpression',
@@ -62,7 +65,7 @@ module.exports = function(core) {
62
65
  },
63
66
  args: [{ value: argInfo.value, tracked: true }],
64
67
  tags: newTags,
65
- addedTags: ['html-encoded'],
68
+ addedTags: [HTML_ENCODED],
66
69
  history,
67
70
  stacktraceOpts: {
68
71
  constructorOpt: hooked,
package/lib/dataflow/propagation/install/mysql-connection-escape.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { SQL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -43,7 +46,7 @@ module.exports = function(core) {
43
46
  const history = [argInfo];
44
47
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
45
48
 
46
- newTags['sql-encoded'] = [0, result.length - 1];
49
+ newTags[SQL_ENCODED] = [0, result.length - 1];
47
50
 
48
51
  const event = createPropagationEvent({
49
52
  name: eventName,
@@ -57,7 +60,7 @@ module.exports = function(core) {
57
60
  },
58
61
  args: [{ value: argInfo.value, tracked: true }],
59
62
  tags: newTags,
60
- addedTags: ['sql-encoded'],
63
+ addedTags: [SQL_ENCODED],
61
64
  history,
62
65
  stacktraceOpts: {
63
66
  constructorOpt: hooked,
package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { WEAK_URL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const {
19
22
  createFullLengthCopyTags
20
23
  } = require('../../tag-utils');
@@ -48,7 +51,7 @@ module.exports = function(core) {
48
51
  const history = [argInfo];
49
52
  const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
50
53
 
51
- newTags['weak-url-encoded'] = [0, result.length - 1];
54
+ newTags[WEAK_URL_ENCODED] = [0, result.length - 1];
52
55
 
53
56
  const event = createPropagationEvent({
54
57
  name: 'pug-runtime.escape',
@@ -62,7 +65,7 @@ module.exports = function(core) {
62
65
  },
63
66
  args: [{ value: argInfo.value, tracked: true }],
64
67
  tags: newTags,
65
- addedTags: ['weak-url-encoded'],
68
+ addedTags: [WEAK_URL_ENCODED],
66
69
  history,
67
70
  stacktraceOpts: {
68
71
  constructorOpt: hooked,
package/lib/dataflow/propagation/install/querystring/parse.js CHANGED
@@ -14,8 +14,13 @@
14
14
  */
15
15
 
16
16
  'use strict';
17
+
17
18
  const util = require('util');
18
19
  const querystring = require('querystring');
20
+ const {
21
+ DataflowTag: { URL_ENCODED }
22
+ } = require('@contrast/common');
23
+
19
24
  const { patchType } = require('../../common');
20
25
  const { createSubsetTags, createAppendTags } = require('../../../tag-utils');
21
26
 
@@ -73,9 +78,9 @@ module.exports = function(core) {
73
78
  event.tags = createAppendTags(event.tags, resultInfo.tags, 0);
74
79
  Object.assign(resultInfo, event);
75
80
  }
76
- if (event.tags['url-encoded']) {
77
- delete event.tags['url-encoded'];
78
- event.removedTags = ['url-encoded'];
81
+ if (event.tags[URL_ENCODED]) {
82
+ delete event.tags[URL_ENCODED];
83
+ event.removedTags = [URL_ENCODED];
79
84
  }
80
85
  const { extern } = resultInfo || tracker.track(result, event);
81
86
  if (extern) {
package/lib/dataflow/propagation/install/sequelize.js ADDED
@@ -0,0 +1,310 @@
1
+ /*
2
+ * Copyright: 2022 Contrast Security, Inc
3
+ * Contact: support@contrastsecurity.com
4
+ * License: Commercial
5
+
6
+ * NOTICE: This Software and the patented inventions embodied within may only be
7
+ * used as part of Contrast Security’s commercial offerings. Even though it is
8
+ * made available through public repositories, use of this Software is subject to
9
+ * the applicable End User Licensing Agreement found at
10
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ * between Contrast Security and the End User. The Software may not be reverse
12
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ * way not consistent with the End User License Agreement.
14
+ */
15
+
16
+ 'use strict';
17
+
18
+ const {
19
+ isString,
20
+ DataflowTag: { SQL_ENCODED },
21
+ } = require('@contrast/common');
22
+ const { patchType, createModuleLabel } = require('../common');
23
+
24
+ module.exports = function (core) {
25
+ const {
26
+ scopes: { sources, instrumentation },
27
+ patcher,
28
+ depHooks,
29
+ assess: {
30
+ dataflow: {
31
+ tracker,
32
+ eventFactory: { createPropagationEvent },
33
+ },
34
+ },
35
+ } = core;
36
+
37
+ function getFormatPostions(str) {
38
+ const positions = [];
39
+ let index = -1;
40
+
41
+ while ((index = str.indexOf('?', index + 1)) !== -1) {
42
+ positions.push(index);
43
+ }
44
+
45
+ return positions;
46
+ }
47
+
48
+ function getFormatNamedParametersPositions(str) {
49
+ const regex = /:(\w+)(?=[\s,;)]|$)/g;
50
+ const matches = str.matchAll(regex);
51
+
52
+ return Array.from(matches, (match) => ({ [match[1]]: match.index }));
53
+ }
54
+
55
+ return (core.assess.dataflow.propagation.sequelizeInstrumentation = {
56
+ install() {
57
+ depHooks.resolve(
58
+ { name: 'sequelize', file: 'lib/sql-string.js' },
59
+ (sqlString, version) => {
60
+ const origEscape = sqlString.escape;
61
+
62
+ patcher.patch(sqlString, 'escape', {
63
+ name: 'sequelize.escape',
64
+ patchType,
65
+ post(data) {
66
+ const { args, result, hooked, orig } = data;
67
+
68
+ if (
69
+ !result ||
70
+ !args[0] ||
71
+ !isString(args[0]) ||
72
+ !sources.getStore()?.assess ||
73
+ instrumentation.isLocked()
74
+ ) return;
75
+
76
+ const argInfo = tracker.getData(args[0]);
77
+
78
+ if (!argInfo) return;
79
+
80
+ const resultInfo = tracker.getData(result);
81
+ if (!resultInfo) return;
82
+ const history = [argInfo];
83
+ const newTags = { ...resultInfo.tags };
84
+
85
+ newTags[SQL_ENCODED] = [0, result.length - 1];
86
+
87
+ const event = createPropagationEvent({
88
+ context: 'sequelize.escape',
89
+ name: 'sequelize/lib/sql-string.escape',
90
+ object: {
91
+ value: createModuleLabel('sequelize/lib/sql-string.escape', version),
92
+ tracked: false,
93
+ },
94
+ result: {
95
+ value: resultInfo.value,
96
+ tracked: true,
97
+ },
98
+ args: [{ value: argInfo.value, tracked: true }],
99
+ tags: newTags,
100
+ addedTags: [SQL_ENCODED],
101
+ source: 'P',
102
+ target: 'R',
103
+ history,
104
+ stacktraceOpts: {
105
+ constructorOpt: hooked,
106
+ prependFrames: [orig],
107
+ },
108
+ });
109
+
110
+ if (!event) return;
111
+
112
+ Object.assign(resultInfo, event);
113
+ },
114
+ });
115
+
116
+ patcher.patch(sqlString, 'format', {
117
+ name: 'Sequelize.Utils.format',
118
+ patchType,
119
+ post(data) {
120
+ const { args, result, hooked, orig } = data;
121
+ if (
122
+ !result ||
123
+ !args[0] ||
124
+ !isString(args[0]) ||
125
+ !sources.getStore()?.assess ||
126
+ instrumentation.isLocked()
127
+ )
128
+ return;
129
+
130
+ const resultInfo = tracker.getData(result);
131
+ if (!resultInfo) {
132
+ return;
133
+ }
134
+
135
+ const positions = getFormatPostions(data.args[0]);
136
+ const firstArgInfo = tracker.getData(data.args[0]);
137
+
138
+ if (!positions.length) {
139
+ return;
140
+ }
141
+
142
+ const replacements = [].concat(data.args[1]);
143
+ let replacementsTrakced = false;
144
+ const [, , timezone, dialect] = data.args;
145
+ const len = positions.length;
146
+
147
+ const history = new Set();
148
+ const newTags = { ...resultInfo.tags };
149
+
150
+ for (let i = 0; i < len; i++) {
151
+ const replacementInfo = tracker.getData(replacements[i]);
152
+ // we don't need to run in a no instrumentation scope here since
153
+ // patcher will do so automatically since we're in a post hook
154
+ const escapedVal = origEscape(
155
+ replacements[i],
156
+ timezone,
157
+ dialect,
158
+ true // true is required to get format function behavior.
159
+ );
160
+
161
+ if (replacementInfo) {
162
+ history.add(replacementInfo);
163
+ newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
164
+ replacementsTrakced = replacementsTrakced || true;
165
+ newTags[SQL_ENCODED].push(positions[i], positions[i] + escapedVal.length - 1);
166
+ }
167
+ //update the string replacement poisitions based on current val length - it's replacing a ? in the origional string
168
+ if (i < len - 1) {
169
+ for (let j = i + 1; j < len; j++) {
170
+ positions[j] = positions[j] + escapedVal.length - 1;
171
+ }
172
+ }
173
+ }
174
+
175
+ const event = createPropagationEvent({
176
+ context: 'Sequelize.Utils.format',
177
+ name: 'sequelize/lib/sql-string.format',
178
+ object: {
179
+ value: createModuleLabel('sequelize/lib/sql-string.format', version),
180
+ tracked: false,
181
+ },
182
+ result: {
183
+ value: resultInfo.value,
184
+ tracked: true,
185
+ },
186
+ args: [
187
+ { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
188
+ { value: replacements, tracked: replacementsTrakced },
189
+ { value: timezone, tracked: false },
190
+ { value: dialect, tracked: false }
191
+ ],
192
+ tags: newTags,
193
+ source: 'P1',
194
+ target: 'R',
195
+ addedTags: [SQL_ENCODED],
196
+ history: Array.from(history),
197
+ stacktraceOpts: {
198
+ constructorOpt: hooked,
199
+ prependFrames: [orig],
200
+ },
201
+ });
202
+
203
+ if (!event) return;
204
+
205
+ Object.assign(resultInfo, event);
206
+ },
207
+ });
208
+
209
+ patcher.patch(sqlString, 'formatNamedParameters', {
210
+ name: 'Sequelize.Utils.formatNamedParameters',
211
+ patchType,
212
+ post(data) {
213
+ const { args, result, hooked, orig } = data;
214
+
215
+ if (
216
+ !result ||
217
+ !args[0] ||
218
+ !isString(args[0]) ||
219
+ !sources.getStore()?.assess ||
220
+ instrumentation.isLocked()
221
+ )
222
+ return;
223
+
224
+ const resultInfo = tracker.getData(result);
225
+ if (!resultInfo) {
226
+ return;
227
+ }
228
+
229
+ const positions = getFormatNamedParametersPositions(data.args[0]);
230
+ const firstArgInfo = tracker.getData(data.args[0]);
231
+
232
+ if (!positions.length) {
233
+ return;
234
+ }
235
+
236
+ const replacements = Object.assign({}, data.args[1]);
237
+ let replacementsTrakced = false;
238
+ const [, , timezone, dialect] = data.args;
239
+ const len = positions.length;
240
+
241
+ const history = new Set();
242
+ const newTags = { ...resultInfo.tags };
243
+
244
+ for (let i = 0; i < len; i++) {
245
+ const replacementKey = Object.keys(positions[i])[0];
246
+ const replacementInfo = tracker.getData(replacements[replacementKey]);
247
+ const escapedVal = origEscape(
248
+ replacements[replacementKey],
249
+ timezone,
250
+ dialect,
251
+ true // true is required to get format function behavior.
252
+ );
253
+
254
+ if (replacementInfo) {
255
+ history.add(replacementInfo);
256
+ newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
257
+ replacementsTrakced = replacementsTrakced || true;
258
+ newTags[SQL_ENCODED].push(Object.values(positions[i])[0], Object.values(positions[i])[0] + escapedVal.length - 1);
259
+ }
260
+
261
+ //update the string replacement poisitions based on current val length - it's replacing a :key with the string
262
+ if (i < len - 1) {
263
+ for (let j = i + 1; j < len; j++) {
264
+ const nextKey = Object.keys(positions[j])[0];
265
+ positions[j] = {
266
+ [nextKey]:
267
+ positions[j][nextKey] - (replacementKey.length + 1) + escapedVal.length // add 1 for the ':'
268
+ };
269
+ }
270
+ }
271
+ }
272
+
273
+ const event = createPropagationEvent({
274
+ context: 'Sequelize.Utils.formatNamedParameters',
275
+ name: 'sequelize/lib/sql-string.formatNamedParameters',
276
+ object: {
277
+ value: createModuleLabel('sequelize/lib/sql-string.formatNamedParameters', version),
278
+ tracked: false,
279
+ },
280
+ result: {
281
+ value: resultInfo.value,
282
+ tracked: true,
283
+ },
284
+ args: [
285
+ { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
286
+ { value: replacements, tracked: replacementsTrakced },
287
+ { value: timezone, tracked: false },
288
+ { value: dialect, tracked: false }
289
+ ],
290
+ tags: newTags,
291
+ source: 'P1',
292
+ target: 'R',
293
+ addedTags: [SQL_ENCODED],
294
+ history: Array.from(history),
295
+ stacktraceOpts: {
296
+ constructorOpt: hooked,
297
+ prependFrames: [orig],
298
+ },
299
+ });
300
+
301
+ if (!event) return;
302
+
303
+ Object.assign(resultInfo, event);
304
+ },
305
+ });
306
+ }
307
+ );
308
+ },
309
+ });
310
+ };
package/lib/dataflow/propagation/install/sql-template-strings.js CHANGED
@@ -15,6 +15,9 @@
15
15
 
16
16
  'use strict';
17
17
 
18
+ const {
19
+ DataflowTag: { SQL_ENCODED }
20
+ } = require('@contrast/common');
18
21
  const { patchType, createModuleLabel } = require('../common');
19
22
 
20
23
  module.exports = function(core) {
@@ -48,10 +51,8 @@ module.exports = function(core) {
48
51
  const resultInfo = tracker.getData(resultValue);
49
52
  if (!resultInfo) return;
50
53
  const history = [argInfo];
51
- // const newTags = createFullLengthCopyTags(argInfo.tags, resultValue.length);
52
54
  const newTags = { ...resultInfo.tags };
53
-
54
- newTags['sql-encoded'] = [0, resultValue.length - 1];
55
+ newTags[SQL_ENCODED] = [0, resultValue.length - 1];
55
56
 
56
57
  const event = createPropagationEvent({
57
58
  name: 'sql-template-strings.SQL',
@@ -65,7 +66,7 @@ module.exports = function(core) {
65
66
  },
66
67
  args: [{ value: argInfo.value, tracked: true }],
67
68
  tags: newTags,
68
- addedTags: ['sql-encoded'],
69
+ addedTags: [SQL_ENCODED],
69
70
  history,
70
71
  stacktraceOpts: {
71
72
  constructorOpt: hooked,
package/lib/dataflow/propagation/install/string/match.js CHANGED
@@ -87,7 +87,7 @@ module.exports = function(core) {
87
87
  const hasCaptureGroups = 'groups' in result;
88
88
  for (let i = 0; i < result.length; i++) {
89
89
  const res = result[i];
90
- if (!res) continue;
90
+ if (!res || res === obj) continue;
91
91
  const start = obj.indexOf(res, idx);
92
92
  idx += hasCaptureGroups ? 0 : res.length;
93
93
  const event = getPropagationEvent(data, res, objInfo, start);
@@ -101,7 +101,7 @@ module.exports = function(core) {
101
101
  if (hasCaptureGroups && result.groups) {
102
102
  Object.keys(result.groups).forEach((key) => {
103
103
  const res = result.groups[key];
104
- if (!res) return;
104
+ if (!res || res === obj) return;
105
105
  const start = obj.indexOf(res);
106
106
  const event = getPropagationEvent(data, res, objInfo, start);
107
107
  if (event) {