@contrast/assess 1.51.0 → 1.53.0

package/lib/dataflow/propagation/install/string/replace.js

@@ -22,6 +22,7 @@ const {
     StringPrototypeMatchAll,
     StringPrototypeReplace,
     StringPrototypeReplaceAll,
+    StringPrototypeSubstring
   }
 } = require('@contrast/common');
 const {
@@ -34,6 +35,7 @@ const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
     patcher,
+    scopes,
     assess: {
       getPropagatorContext,
       eventFactory: { createPropagationEvent },
@@ -85,8 +87,7 @@ module.exports = function(core) {
       // aren't valid, e.g., $0, $<name> when the pattern is a string.
       replacement = String(data._replacement);
 
-      const matches = [...StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS)];
-      let trackedReplacementsDone = 0;
+      const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
 
       for (const m of matches) {
         let substitution;
@@ -113,7 +114,7 @@ module.exports = function(core) {
             substitutionDone = true;
           } else if (m[1][0] === '<') {
             // named group
-            const groupName = m[1].substring(1, m[1].length - 1);
+            const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
             if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
               // remove $<groupName> from the replacement pattern. N.B. this
               // also could mess up if the replacement text containts text that
@@ -130,6 +131,7 @@ module.exports = function(core) {
         //
         // any idea what order $&'` should be in from a most-common to least-
         // common perspective? nfi.
+        let substitutionTags;
         if (!substitutionDone) {
           if (m[1] === '$') {
             // this could actually be tracked but in order to do this "right"
@@ -137,15 +139,20 @@ module.exports = function(core) {
             // the second $ that is tracked. so punt, and just ignore it, as
             // originally implemented.
             substitution = '$';
+            data._replacementOffset -= 1;
           } else if (m[1] === '&') {
             // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
             // match). if tracked, handle it. do so by index, so we don't have to
             // call replace again? e.g., string[m.index..m.index+2]
             substitution = parsedArgs[0];
           } else if (m[1] === '`') {
-            substitution = parsedArgs.input.substring(0, parsedArgs.index);
+            const info = tracker.getData(parsedArgs.input);
+            substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
+            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
           } else if (m[1] === "'") {
-            substitution = parsedArgs.input.substring(parsedArgs.index + parsedArgs[0].length);
+            const info = tracker.getData(parsedArgs.input);
+            substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
+            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
           } //  else {
           //   throw new Error('how can it have matched RE and gotten here?');
           // }
@@ -154,15 +161,13 @@ module.exports = function(core) {
           // is manipulating the output, even if it is just duplicating what
           // might be tracked or untracked input. does that count?
         }
-        // if the substitution is tracked just use heavy-weight replacer.
-        if (trackedReplacementsDone || tracker.isTracked(substitution)) {
-          replacement = replacement.replace(m[0], substitution);
-          trackedReplacementsDone += 1;
-        } else {
-          replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
+        replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
+        if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
+        if (substitutionTags) {
+          data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
+          data._replacementOffset += (substitution.length - m[0].length);
         }
       }
-
     }
 
     // coerce the replacement to a string, e.g., null => 'null'
@@ -173,7 +178,7 @@ module.exports = function(core) {
       data._history.add(data._replacementInfo);
     }
 
-    return { replacement, replacementInfo: data._replacementInfo };
+    return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
   }
 
   function getReplacer(data) {
@@ -183,14 +188,14 @@ module.exports = function(core) {
       const { index, input } = parsedArgs;
 
       const { _accumOffset, _accumTags } = data;
-      const { replacement, replacementInfo } = getReplacementInfo(data, args, parsedArgs);
+      const { replacement, replacementTags } = getReplacementInfo(data, args, parsedArgs);
 
       const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
       const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
       data._accumOffset += (replacement.length - match.length);
-      if (preTags || postTags || replacementInfo) {
+      if (preTags || postTags || replacementTags) {
         data._accumTags = createAppendTags(
-          createAppendTags(preTags, replacementInfo?.tags, _accumOffset + index),
+          createAppendTags(preTags, replacementTags, _accumOffset + index),
           postTags,
           data._accumOffset + index + match.length
         );
@@ -204,12 +209,13 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.stringInstrumentation.replace = {
     install() {
       const name = 'String.prototype.replace';
+      const store = { name, lock: true };
       patcher.patch(String.prototype, 'replace', {
         name,
         patchType,
         usePerf: 'sync',
-        pre(data) {
-          if (!getPropagatorContext()) return;
+        around(next, data) {
+          if (!getPropagatorContext()) return next();
 
           // setup state
           data._objInfo = tracker.getData(data.obj);
@@ -218,22 +224,20 @@ module.exports = function(core) {
           data._history = data._objInfo ? new Set([data._objInfo]) : new Set();
           data._accumTags = data._objInfo?.tags || {};
           data._accumOffset = 0;
+          data._replacementOffset = 0;
 
           data.args[1] = getReplacer(data);
-        },
-        post(data) {
+
+          const result = !scopes.instrumentation.isLocked() ? scopes.instrumentation.run(store, next) : next();
+
           if (
-            !data.result ||
-            // todo: can we reuse this optimization in other propagators? e.g those performing substring-like operations
+            !result ||
             !data._accumTags?.[UNTRUSTED] ||
-            !!tracker.getData(data.result)
-          ) return;
+            !!tracker.getData(result) ||
+            data.obj === result
+          ) return result;
 
-          if (data.obj === data.result) {
-            return;
-          }
-
-          const { obj, args: origArgs, result, hooked, orig } = data;
+          const { obj, args: origArgs, hooked, orig } = data;
           const args = [];
           if (tracker.getData(origArgs[0])) {
             args.push({ tracked: true, value: origArgs[0] });
@@ -274,9 +278,7 @@ module.exports = function(core) {
 
           const { extern } = tracker.track(result, event);
 
-          if (extern) {
-            data.result = extern;
-          }
+          return extern;
         }
       });
     },

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -86,7 +86,7 @@ module.exports = function(core) {
 
   unvalidatedRedirect.install = function() {
     const name = 'fastify.Reply.prototype.redirect';
-    depHooks.resolve({ name: 'fastify', version: '>=3 <5', file: 'lib/reply' }, (Reply) => {
+    depHooks.resolve({ name: 'fastify', version: '>=3 <6', file: 'lib/reply' }, (Reply) => {
       patcher.patch(Reply.prototype, 'redirect', {
         name,
         patchType,

package/lib/dataflow/sources/install/fastify/fastify.js

@@ -31,7 +31,7 @@ module.exports = function (core) {
 
   const source = sources.fastifyInstrumentation.fastify = {
     install() {
-      depHooks.resolve({ name: 'fastify', version: '>=3.2.0 <5' }, (fastify) => patcher.patch(fastify, {
+      depHooks.resolve({ name: 'fastify', version: '>=3.2.0 <6' }, (fastify) => patcher.patch(fastify, {
         name: 'fastify.constructor',
         patchType,
         post({ result: server, funcKey }) {

package/lib/event-factory.js

@@ -15,7 +15,8 @@
 
 'use strict';
 
-const { InputType, empties, primordials: { StringPrototypeMatch } } = require('@contrast/common');
+const { Event, InputType, empties, primordials: { StringPrototypeMatch } } = require('@contrast/common');
+const { ConfigSource } = require('@contrast/config');
 const { Core } = require('@contrast/core/lib/ioc/core');
 const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
 const SOURCE_EVENT_MSG = 'Source event not created: %s';
@@ -33,6 +34,15 @@ module.exports = Core.makeComponent({
 
     const eventFactory = core.assess.eventFactory = {};
 
+    function computeStacktracesConfig() {
+      const forceSink = config.getEffectiveValue('server.environment') === 'PRODUCTION' &&
+        config.getEffectiveSource('assess.stacktraces') === ConfigSource.DEFAULT_VALUE;
+
+      return forceSink ? 'SINK' : config.getEffectiveValue('assess.stacktraces');
+    }
+
+    eventFactory.stacktraces = computeStacktracesConfig();
+
     eventFactory.createdEvents = new WeakSet();
 
     eventFactory.createSourceEvent = function(data = {}) {
@@ -91,7 +101,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      if (config.assess.stacktraces === 'ALL') {
+      if (eventFactory.stacktraces === 'ALL') {
         data.stack = createSnapshot(data.stacktraceOpts)();
       } else {
         data.stack = empties.ARRAY;
@@ -133,7 +143,7 @@ module.exports = Core.makeComponent({
         return null;
       }
 
-      if (config.assess.stacktraces !== 'NONE') {
+      if (eventFactory.stacktraces !== 'NONE') {
         data.stack = createSnapshot(data.stacktraceOpts)();
       } else {
         data.stack = empties.ARRAY;
@@ -161,7 +171,7 @@ module.exports = Core.makeComponent({
         logger.debug('malformed or missing sink event source field: %s', data.name);
         return null;
       }
-      if (config.assess.stacktraces !== 'NONE') {
+      if (eventFactory.stacktraces !== 'NONE') {
         data.stack = createSnapshot(data.stacktraceOpts)();
       } else {
         data.stack = empties.ARRAY;
@@ -202,7 +212,7 @@ module.exports = Core.makeComponent({
         logger.debug('malformed or missing sink event source field: %s', data.name);
         return null;
       }
-      if (config.assess.stacktraces !== 'NONE') {
+      if (eventFactory.stacktraces !== 'NONE') {
         data.stack = createSnapshot(data.stacktraceOpts)();
       } else {
         data.stack = empties.ARRAY;
@@ -214,6 +224,12 @@ module.exports = Core.makeComponent({
       return data;
     };
 
+
+    // update computed config value if there are updates
+    core.messages.on(Event.SERVER_SETTINGS_UPDATE, () => {
+      eventFactory.stacktraces = computeStacktracesConfig();
+    });
+
     return eventFactory;
   }
 });

package/lib/get-source-context.js

@@ -15,6 +15,8 @@
 // @ts-check
 'use strict';
 
+const { Core } = require('@contrast/core/lib/ioc/core');
+
 /** @typedef {import('@contrast/assess').SourceContext} SourceContext */
 
 /**
@@ -25,7 +27,12 @@
  *  assess: import('@contrast/assess').Assess;
  * }} core
  */
-module.exports = function(core) {
+module.exports = Core.makeComponent({
+  name: 'assess.getSourceContext',
+  factory
+});
+
+function factory(core) {
   const {
     config,
     scopes: { sources, instrumentation },
@@ -109,4 +116,4 @@ module.exports = function(core) {
 
     return ctx;
   };
-};
+}

package/lib/index.js

@@ -63,7 +63,7 @@ module.exports = function assess(core) {
   require('./get-policy')(core);
   core.initComponentSync(require('./make-source-context'));
   require('./rule-scopes')(core);
-  require('./get-source-context')(core);
+  core.initComponentSync(require('./get-source-context'));
   core.initComponentSync(require('./event-factory'));
 
   // various Assess features

package/lib/make-source-context.js

@@ -26,75 +26,76 @@ const { Core } = require('@contrast/core/lib/ioc/core');
  */
 module.exports = Core.makeComponent({
   name: 'assess.makeSourceContext',
-  factory(core) {
-    const { assess, logger } = core;
+  factory,
+});
 
-    /**
-     * @returns {import('@contrast/assess').SourceContext}
-     */
-    return core.assess.makeSourceContext = function(sourceData) {
-      try {
+function factory(core) {
+  const { assess, logger } = core;
 
-        const ctx = sourceData.store.assess = {
-          // default policy to `null` until it is set later below. this will cause
-          // all instrumentation to short-circuit, see `./get-source-context.js`.
-          policy: null,
-        };
+  /**
+   * @returns {import('@contrast/assess').SourceContext}
+   */
+  return core.assess.makeSourceContext = function(sourceData) {
+    try {
 
-        if (!core.config.getEffectiveValue('assess.enable')) {
-          return ctx;
-        }
+      const ctx = sourceData.store.assess = {
+        // default policy to `null` until it is set later below. this will cause
+        // all instrumentation to short-circuit, see `./get-source-context.js`.
+        policy: null,
+      };
 
-        // todo: how to handle non-HTTP sources
-        const { incomingMessage: req } = sourceData;
+      if (!core.config.getEffectiveValue('assess.enable')) {
+        return ctx;
+      }
 
-        // minimally process the request data for sampling and exclusions.
-        // more request fields will be appended in final result below.
-        let uriPath;
-        let queries;
-        const idx = req.url.indexOf('?');
-        if (idx >= 0) {
-          uriPath = StringPrototypeSlice.call(req.url, 0, idx);
-          queries = StringPrototypeSlice.call(req.url, idx + 1);
-        } else {
-          uriPath = req.url;
-          queries = '';
-        }
-        ctx.reqData = {
-          method: req.method,
-          uriPath,
-          queries,
-        };
+      // todo: how to handle non-HTTP sources
+      const { incomingMessage: req } = sourceData;
 
-        // check whether sampling allows processing
-        ctx.sampleInfo = assess.sampler?.getSampleInfo(sourceData) ?? null;
-        if (ctx.sampleInfo?.canSample === false) return ctx;
+      // minimally process the request data for sampling and exclusions.
+      // more request fields will be appended in final result below.
+      let uriPath;
+      let queries;
+      const idx = req.url.indexOf('?');
+      if (idx >= 0) {
+        uriPath = StringPrototypeSlice.call(req.url, 0, idx);
+        queries = StringPrototypeSlice.call(req.url, idx + 1);
+      } else {
+        uriPath = req.url;
+        queries = '';
+      }
+      ctx.reqData = {
+        method: req.method,
+        uriPath,
+        queries,
+      };
 
-        // set policy - can be returned as `null` if request is url-excluded.
-        ctx.policy = assess.getPolicy(ctx.reqData);
-        if (!ctx.policy) return ctx;
+      // check whether sampling allows processing
+      ctx.sampleInfo = assess.sampler?.getSampleInfo(sourceData) ?? null;
+      if (ctx.sampleInfo?.canSample === false) return ctx;
 
-        // build remaining reqData
-        ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
-        ctx.reqData.ip = req.socket.remoteAddress;
-        ctx.reqData.httpVersion = req.httpVersion;
-        if (ctx.reqData.headers['content-type'])
-          ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
+      // set policy - can be returned as `null` if request is url-excluded.
+      ctx.policy = assess.getPolicy(ctx.reqData);
+      if (!ctx.policy) return ctx;
 
-        return {
-          ...ctx,
-          propagationEventsCount: 0,
-          sourceEventsCount: 0,
-          responseData: {},
-          ruleState: {},
-        };
-      } catch (err) {
-        logger.error(
-          { err },
-          'unable to construct assess store. assess will be disabled for request.'
-        );
-        return null;
-      }
-    };
-  }
-});
+      // build remaining reqData
+      ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
+      ctx.reqData.ip = req.socket.remoteAddress;
+      ctx.reqData.httpVersion = req.httpVersion;
+      if (ctx.reqData.headers['content-type'])
+        ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
+
+      ctx.propagationEventsCount = 0;
+      ctx.sourceEventsCount = 0;
+      ctx.responseData = {};
+      ctx.ruleState = {};
+
+      return ctx;
+    } catch (err) {
+      logger.error(
+        { err },
+        'unable to construct assess store. assess will be disabled for request.'
+      );
+      return null;
+    }
+  };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.51.0",
+  "version": "1.53.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.44.0",
-    "@contrast/core": "1.49.0",
-    "@contrast/dep-hooks": "1.18.0",
+    "@contrast/config": "1.45.0",
+    "@contrast/core": "1.50.0",
+    "@contrast/dep-hooks": "1.19.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.28.0",
-    "@contrast/logger": "1.22.0",
-    "@contrast/patcher": "1.21.0",
-    "@contrast/rewriter": "1.25.0",
-    "@contrast/route-coverage": "1.39.0",
-    "@contrast/scopes": "1.19.0",
+    "@contrast/instrumentation": "1.29.0",
+    "@contrast/logger": "1.23.0",
+    "@contrast/patcher": "1.22.0",
+    "@contrast/rewriter": "1.26.0",
+    "@contrast/route-coverage": "1.41.0",
+    "@contrast/scopes": "1.20.0",
     "semver": "^7.6.0"
   }
 }