@contrast/assess 1.50.0 → 1.51.0

package/lib/dataflow/propagation/install/string/split.js

@@ -15,13 +15,14 @@
 
 'use strict';
 
-const { primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
+const { primordials: { ArrayPrototypeJoin, RegExpPrototypeExec } } = require('@contrast/common');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
   const {
     patcher,
+    scopes,
     assess: {
       getPropagatorContext,
       eventFactory,
@@ -32,13 +33,22 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.stringInstrumentation.split = {
     install() {
       const name = 'String.prototype.split';
+      const store = { lock: true, name };
 
       patcher.patch(String.prototype, 'split', {
         name,
         patchType,
         usePerf: 'sync',
+        around(next, data) {
+          // prevent instrumenting call to `exec` instance method when splitter is RegExp
+          return data.args[0] instanceof RegExp && !scopes.instrumentation.isLocked() ?
+            scopes.instrumentation.run(store, next) :
+            next();
+        },
         post(data) {
           const { name, args: origArgs, obj, result, hooked, orig } = data;
+          const splitterIsRx = origArgs[0] instanceof RegExp;
+
           if (
             !obj ||
             !result ||
@@ -46,68 +56,115 @@ module.exports = function(core) {
             result.length === 0 ||
             typeof obj !== 'string' ||
             (origArgs.length === 1 && origArgs[0] == null) ||
-            !getPropagatorContext()
+            !getPropagatorContext() ||
+            (!splitterIsRx && origArgs[0]?.[Symbol.split])
           ) return;
 
           const objInfo = tracker.getData(obj);
           if (!objInfo || obj === result[0]) return;
 
-          const args = origArgs.map((arg) => {
-            const argInfo = tracker.getData(arg);
-            return argInfo ?
-                { tracked: true, value: argInfo.value } :
-                { tracked: false, value: `'${arg}'` };
-          });
-
-          const event = eventFactory.createPropagationEvent({
-            name,
-            moduleName: 'String',
-            methodName: 'prototype.split',
-            context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
-            history: [objInfo],
-            object: {
-              value: obj,
-              tracked: true,
-            },
-            args,
-            tags: {},
-            result: {
-              value: getAdjustedUntrackedValue(result),
-              tracked: false
-            },
-            stacktraceOpts: {
-              constructorOpt: hooked,
-              prependFrames: [orig]
-            },
-            source: 'O',
-            target: 'R'
-          });
-
-          if (!event) return;
-
-          let idx = 0;
+          let readIdx = 0;
+          let splitterRxGlobal;
+          let sepOffset;
+          let rxMatch;
+          let _event;
+
+          // make single global regex to check for calculating sepOffsets (vs using origArgs[0])
+          if (origArgs[0] instanceof RegExp) splitterRxGlobal = new RegExp(origArgs[0], 'g');
+
           for (let i = 0; i < result.length; i++) {
-            const res = result[i];
-            const start = obj.indexOf(res, idx);
-            idx += res.length;
-            const objSubstr = obj.substring(start, start + res.length);
-            const objSubstrInfo = tracker.getData(objSubstr);
-            if (objSubstrInfo) {
-              const tags = createSubsetTags(objInfo.tags, start, res.length);
-
-              if (!tags) continue;
-              const metadata = {
-                ...event,
-                result: { tracked: true, value: res },
-                tags,
-              };
-              eventFactory.createdEvents.add(metadata);
-              const { extern } = tracker.track(res, metadata);
-
-              if (extern) {
-                data.result[i] = extern;
+            let tags;
+            if (result[i].length) {
+              tags = createSubsetTags(objInfo.tags, readIdx, result[i].length);
+            }
+
+            if (tags) {
+              const metadata = makeEvent({
+                result: { tracked: true, value: result[i] },
+                tags: tags,
+              });
+
+              if (metadata) {
+                eventFactory.createdEvents.add(metadata);
+                const { extern } = tracker.track(result[i], metadata);
+                if (extern) data.result[i] = extern;
+              }
+            }
+
+            // increment read offset from element length
+            readIdx += result[i].length;
+
+            // calculate separator offset but don't increment until
+            // we check for regex capture groups in result below
+            if (splitterRxGlobal) {
+              rxMatch = RegExpPrototypeExec.call(splitterRxGlobal, obj);
+              if (rxMatch) sepOffset = rxMatch[0].length;
+            } else {
+              sepOffset = origArgs[0].length;
+            }
+
+            // handle if any regex matches are interleaved into the result
+            if (rxMatch) {
+              let groupIdx = rxMatch.length > 1 ? 1 : 0;
+
+              while (groupIdx && groupIdx < rxMatch.length) {
+                // move to next element in result
+                i++;
+
+                const tags = createSubsetTags(objInfo.tags, readIdx, rxMatch[groupIdx].length);
+                if (tags) {
+                  const metadata = makeEvent({
+                    result: { tracked: true, value: result[i] },
+                    tags: tags,
+                  });
+                  eventFactory.createdEvents.add(metadata);
+                  const { extern } = tracker.track(result[i], metadata);
+                  if (extern) data.result[i] = extern;
+                }
+                // increment read offset using rxMatch[groupIdx].length instead of sepOffset
+                readIdx += rxMatch[groupIdx].length;
+                groupIdx++;
               }
+            } else {
+              readIdx += sepOffset;
+            }
+          }
+
+          // Defer base event creation until needed. All events will share same
+          // common base event data that gets cached per propagator run.
+          function makeEvent(mergeData) {
+            if (!_event) {
+              const args = origArgs.map((arg) => {
+                const argInfo = tracker.getData(arg);
+                return argInfo ?
+                  { tracked: true, value: argInfo.value } :
+                  { tracked: false, value: `'${arg}'` };
+              });
+              _event = eventFactory.createPropagationEvent({
+                name,
+                moduleName: 'String',
+                methodName: 'prototype.split',
+                context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+                history: [objInfo],
+                object: {
+                  value: obj,
+                  tracked: true,
+                },
+                args,
+                tags: {},
+                result: {
+                  value: getAdjustedUntrackedValue(result),
+                  tracked: false
+                },
+                stacktraceOpts: {
+                  constructorOpt: hooked,
+                  prependFrames: [orig]
+                },
+                source: 'O',
+                target: 'R'
+              });
             }
+            return !_event ? null : { ..._event, ...mergeData };
           }
         },
       });

package/lib/dataflow/sources/install/express/parsedUrl.js

@@ -74,6 +74,9 @@ module.exports = function init(core) {
                 name: 'express.middleware.init.expressInit',
                 patchType,
                 pre(data) {
+                  // no need to patch is assess is off
+                  if (!core.config.getEffectiveValue('assess.enable')) return;
+
                   patcher.patch(data.args, '2', {
                     name: 'express.middleware.init.expressInit.next',
                     patchType,

package/lib/index.js

@@ -17,6 +17,7 @@
 
 const { inspect } = require('util');
 const { callChildComponentMethodsSync } = require('@contrast/common');
+const { ConfigSource } = require('@contrast/config');
 
 module.exports = function assess(core) {
   const {
@@ -27,7 +28,15 @@ module.exports = function assess(core) {
 
   const assess = core.assess = {
     install() {
-      if (!config.getEffectiveValue('assess.enable')) {
+      // only force instrumentation if assess is explicitly enabled in local config
+      const forceInstrumentation =
+        config.preinstrument &&
+        config.getEffectiveSource('assess.enable') !== ConfigSource.DEFAULT_VALUE;
+
+      if (
+        !forceInstrumentation &&
+        !config.getEffectiveValue('assess.enable')
+      ) {
         core.logger.debug('assess is disabled, skipping installation');
         return;
       }

package/lib/make-source-context.js

@@ -34,6 +34,17 @@ module.exports = Core.makeComponent({
      */
     return core.assess.makeSourceContext = function(sourceData) {
       try {
+
+        const ctx = sourceData.store.assess = {
+          // default policy to `null` until it is set later below. this will cause
+          // all instrumentation to short-circuit, see `./get-source-context.js`.
+          policy: null,
+        };
+
+        if (!core.config.getEffectiveValue('assess.enable')) {
+          return ctx;
+        }
+
         // todo: how to handle non-HTTP sources
         const { incomingMessage: req } = sourceData;
 
@@ -49,16 +60,10 @@ module.exports = Core.makeComponent({
           uriPath = req.url;
           queries = '';
         }
-
-        const ctx = sourceData.store.assess = {
-          // default policy to `null` until it is set later below. this will cause
-          // all instrumentation to short-circuit, see `./get-source-context.js`.
-          policy: null,
-          reqData: {
-            method: req.method,
-            uriPath,
-            queries,
-          },
+        ctx.reqData = {
+          method: req.method,
+          uriPath,
+          queries,
         };
 
         // check whether sampling allows processing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.50.0",
+  "version": "1.51.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.43.0",
-    "@contrast/core": "1.48.0",
-    "@contrast/dep-hooks": "1.17.0",
+    "@contrast/config": "1.44.0",
+    "@contrast/core": "1.49.0",
+    "@contrast/dep-hooks": "1.18.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.27.0",
-    "@contrast/logger": "1.21.0",
-    "@contrast/patcher": "1.20.0",
-    "@contrast/rewriter": "1.24.0",
-    "@contrast/route-coverage": "1.38.0",
-    "@contrast/scopes": "1.18.0",
+    "@contrast/instrumentation": "1.28.0",
+    "@contrast/logger": "1.22.0",
+    "@contrast/patcher": "1.21.0",
+    "@contrast/rewriter": "1.25.0",
+    "@contrast/route-coverage": "1.39.0",
+    "@contrast/scopes": "1.19.0",
     "semver": "^7.6.0"
   }
 }