npm - @contrast/assess - Versions diffs - 1.52.0 → 1.54.0 - Mend

@contrast/assess 1.52.0 → 1.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/lib/dataflow/propagation/install/pug-runtime-escape.js CHANGED Viewed

@@ -17,7 +17,7 @@
 const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../tag-utils');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 module.exports = function(core) {
   const {
@@ -40,7 +40,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { args, result, hooked, orig } = data;
+            const { args, result, hooked } = data;
             if (!result || !args[0] || !getPropagatorContext()) return;
             const argInfo = tracker.getData(args[0]);
@@ -57,9 +57,11 @@ module.exports = function(core) {
               name,
               moduleName: 'pug-runtime',
               methodName: 'escape',
-              context: `pugRuntime.escape('${argInfo.value}')`,
+              get context() {
+                return `pugRuntime.escape('${argInfo.value}')`;
+              },
               object: {
-                value: createModuleLabel('pug-runtime', version),
+                value: 'pug-runtime',
                 tracked: false
               },
               result: {
@@ -74,7 +76,6 @@ module.exports = function(core) {
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });

package/lib/dataflow/propagation/install/querystring/escape.js CHANGED Viewed

@@ -62,7 +62,9 @@ module.exports = function(core) {
             const argVal = inspect(strInfo.value);
             const event = createPropagationEvent({
               args: [{ tracked: true, value: argVal }],
-              context: `querystring.escape(${argVal})`,
+              get context() {
+                return `querystring.escape(${argVal})`;
+              },
               history: [strInfo],
               moduleName: 'querystring',
               methodName: 'escape',

package/lib/dataflow/propagation/install/querystring/parse.js CHANGED Viewed

@@ -51,7 +51,9 @@ module.exports = function(core) {
       const event = createPropagationEvent({
         name: data.name,
-        context: `querystring.parse('${ArrayPrototypeJoin.call(args)})`,
+        get context() {
+          return `querystring.parse('${ArrayPrototypeJoin.call(args)})`;
+        },
         moduleName: 'querystring',
         methodName: 'parse',
         history: [trackingData],
@@ -70,7 +72,6 @@ module.exports = function(core) {
         tags: tagRanges,
         stacktraceOpts: {
           constructorOpt: data.hooked,
-          prependFrames: [data.orig]
         },
         source: 'P',
         target: 'R'

package/lib/dataflow/propagation/install/querystring/stringify.js CHANGED Viewed

@@ -112,10 +112,11 @@ module.exports = function(core) {
     const { name } = data;
     const args = data._args.map((a, i) => ({ tracked: i === 0, value: inspect(a) }));
-    const argString = args.reduce((acc, arg, i, arr) => acc + arg.value + (i === arr.length - 1 ? '' : ', '), '');
-    const context = `${name}(${argString})`;
     const event = createPropagationEvent({
-      context,
+      get context() {
+        const argString = args.reduce((acc, arg, i, arr) => acc + arg.value + (i === arr.length - 1 ? '' : ', '), '');
+        return `${name}(${argString})`;
+      },
       args,
       name,
       moduleName,
@@ -127,7 +128,6 @@ module.exports = function(core) {
       source: 'P',
       stacktraceOpts: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig],
       },
       tags: data._tags,
       target: 'R',

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js CHANGED Viewed

@@ -38,13 +38,15 @@ module.exports = function(core) {
     const tags = createSubsetTags(strInfo.tags, startIdx, match.length);
     if (!tags) return null;
-    const { name, obj, hooked, orig } = metadata;
+    const { name, obj, hooked } = metadata;
     return createPropagationEvent({
       name,
       moduleName: 'RegExp',
       methodName: 'prototype.exec',
-      context: `'${obj}'.exec('${strInfo.value}')`,
+      get context() {
+        return `${obj}.exec('${strInfo.value}')`;
+      },
       history: [strInfo],
       object: {
         value: 'RegExp',
@@ -63,7 +65,6 @@ module.exports = function(core) {
       },
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig],
       },
       source: 'P',
       target: 'R',

package/lib/dataflow/propagation/install/sequelize/query-generator.js CHANGED Viewed

@@ -57,7 +57,6 @@ module.exports = function(core) {
                 const { value } = strInfo;
                 const event = createPropagationEvent({
-                  // context: ``,
                   args: [{ tracked: true, value: data.args[0] }],
                   history: [strInfo],
                   moduleName: 'sequelize',

package/lib/dataflow/propagation/install/sequelize/sql-string.js CHANGED Viewed

@@ -20,7 +20,7 @@ const {
   primordials: { StringPrototypeMatchAll },
   DataflowTag: { SQL_ENCODED },
 } = require('@contrast/common');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
@@ -64,7 +64,7 @@ module.exports = function(core) {
             patchType,
             usePerf: 'sync',
             post(data) {
-              const { args, result, hooked, orig } = data;
+              const { args, result, hooked } = data;
               if (
                 !result ||
@@ -85,7 +85,9 @@ module.exports = function(core) {
               newTags[SQL_ENCODED] = [0, result.length - 1];
               const event = createPropagationEvent({
-                context: `sequelize.escape('${argInfo.value}')`,
+                get context() {
+                  return `sequelize.escape('${argInfo.value}')`;
+                },
                 name: 'sequelize/lib/sql-string.escape',
                 moduleName: 'sequelize',
                 methodName: 'escape',
@@ -105,7 +107,6 @@ module.exports = function(core) {
                 history,
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig],
                 },
               });
@@ -119,7 +120,7 @@ module.exports = function(core) {
             name: 'Sequelize.Utils.format',
             patchType,
             post(data) {
-              const { args, result, hooked, orig } = data;
+              const { args, result, hooked } = data;
               if (
                 !result ||
                 !args[0] ||
@@ -139,8 +140,8 @@ module.exports = function(core) {
                 return;
               }
-              const replacements = [].concat(data.args[1]);
-              let replacementsTrakced = false;
+              const replacements = [...data.args[1]];
+              let replacementsTracked = false;
               const [, , timezone, dialect] = data.args;
               const len = positions.length;
@@ -161,7 +162,7 @@ module.exports = function(core) {
                 if (replacementInfo) {
                   history.add(replacementInfo);
                   newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
-                  replacementsTrakced = replacementsTrakced || true;
+                  replacementsTracked ??= true;
                   newTags[SQL_ENCODED].push(positions[i], positions[i] + escapedVal.length - 1);
                 }
                 //update the string replacement poisitions based on current val length - it's replacing a ? in the origional string
@@ -176,7 +177,7 @@ module.exports = function(core) {
                 context: 'Sequelize.Utils.format',
                 name: 'sequelize/lib/sql-string.format',
                 object: {
-                  value: createModuleLabel('sequelize/lib/sql-string.format', version),
+                  value: 'sequelize/lib/sql-string.format',
                   tracked: false,
                 },
                 result: {
@@ -185,7 +186,7 @@ module.exports = function(core) {
                 },
                 args: [
                   { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
-                  { value: replacements, tracked: replacementsTrakced },
+                  { value: replacements, tracked: replacementsTracked },
                   { value: timezone, tracked: false },
                   { value: dialect, tracked: false }
                 ],
@@ -196,7 +197,6 @@ module.exports = function(core) {
                 history: Array.from(history),
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig],
                 },
               });
@@ -210,7 +210,7 @@ module.exports = function(core) {
             name: 'Sequelize.Utils.formatNamedParameters',
             patchType,
             post(data) {
-              const { args, result, hooked, orig } = data;
+              const { args, result, hooked } = data;
               if (
                 !result ||
@@ -232,7 +232,7 @@ module.exports = function(core) {
               }
               const replacements = Object.assign({}, data.args[1]);
-              let replacementsTrakced = false;
+              let replacementsTracked = false;
               const [, , timezone, dialect] = data.args;
               const len = positions.length;
@@ -252,7 +252,7 @@ module.exports = function(core) {
                 if (replacementInfo) {
                   history.add(replacementInfo);
                   newTags[SQL_ENCODED] = newTags[SQL_ENCODED] || [];
-                  replacementsTrakced = replacementsTrakced || true;
+                  replacementsTracked ??= true;
                   newTags[SQL_ENCODED].push(Object.values(positions[i])[0], Object.values(positions[i])[0] + escapedVal.length - 1);
                 }
@@ -272,7 +272,7 @@ module.exports = function(core) {
                 context: 'Sequelize.Utils.formatNamedParameters',
                 name: 'sequelize/lib/sql-string.formatNamedParameters',
                 object: {
-                  value: createModuleLabel('sequelize/lib/sql-string.formatNamedParameters', version),
+                  value: 'sequelize/lib/sql-string.formatNamedParameters',
                   tracked: false,
                 },
                 result: {
@@ -281,7 +281,7 @@ module.exports = function(core) {
                 },
                 args: [
                   { value: firstArgInfo ? firstArgInfo.value : args[0], tracked: !!firstArgInfo },
-                  { value: replacements, tracked: replacementsTrakced },
+                  { value: replacements, tracked: replacementsTracked },
                   { value: timezone, tracked: false },
                   { value: dialect, tracked: false }
                 ],
@@ -292,7 +292,6 @@ module.exports = function(core) {
                 history: Array.from(history),
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig],
                 },
               });

package/lib/dataflow/propagation/install/sql-template-strings.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const { DataflowTag: { SQL_ENCODED } } = require('@contrast/common');
-const { patchType, createModuleLabel } = require('../common');
+const { patchType } = require('../common');
 module.exports = function(core) {
   const {
@@ -39,11 +39,10 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { args, result, hooked, orig } = data;
+            const { args, result, hooked } = data;
             if (!result || !args[0] || !getPropagatorContext()) return;
             const argInfo = tracker.getData(args[0]);
             if (!argInfo) return;
             const isResultStringsArray = Array.isArray(result.strings);
@@ -60,9 +59,11 @@ module.exports = function(core) {
                 name,
                 moduleName: 'sql-template-strings',
                 methodName: 'SQL',
-                context: `SQL\`${argInfo.value}\``,
+                get context() {
+                  return `SQL\`${argInfo.value}\``;
+                },
                 object: {
-                  value: createModuleLabel('sql-template-strings', version),
+                  value: 'sql-template-strings',
                   tracked: false
                 },
                 result: {
@@ -77,10 +78,8 @@ module.exports = function(core) {
                 target: 'R',
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig]
                 },
               });
               if (!event) return;
               if (resultInfo) {
@@ -88,16 +87,13 @@ module.exports = function(core) {
               }
               const { extern } = resultInfo || tracker.track(resultValue, event);
               if (extern) {
                 if (idx === 0 && !isResultStringsArray) {
                   data.result.strings = extern;
                 }
                 if (idx < resultStrings.length && isResultStringsArray) {
                   data.result.strings[idx] = extern;
                 }
                 if (idx >= resultStrings.length) {
                   data.result.values[idx - resultStrings.length] = extern;
                 }

package/lib/dataflow/propagation/install/string/concat.js CHANGED Viewed

@@ -87,13 +87,14 @@ module.exports = function(core) {
           }
           if (history.size) {
-            const objVal = objInfo ? `'${objInfo.value}'` : getAdjustedUntrackedValue(data.obj);
-            const context = `${objVal}.concat(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`;
             const event = createPropagationEvent({
               name,
               moduleName: 'String',
               methodName: 'prototype.concat',
-              context,
+              get context() {
+                const objVal = objInfo ? `'${objInfo.value}'` : getAdjustedUntrackedValue(data.obj);
+                return `${objVal}.concat(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`;
+              },
               object: {
                 value: objInfo?.value ?? getAdjustedUntrackedValue(data.obj),
                 tracked: !!objInfo
@@ -109,7 +110,6 @@ module.exports = function(core) {
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: data.hooked,
-                prependFrames: [data.orig]
               },
             });

package/lib/dataflow/propagation/install/string/format-methods.js CHANGED Viewed

@@ -37,7 +37,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { obj, result, hooked, orig } = data;
+            const { obj, result, hooked } = data;
             if (!result || !getPropagatorContext()) return;
             const objInfo = tracker.getData(obj);
@@ -50,7 +50,9 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: `prototype.${method}`,
-              context: `'${objInfo.value}'.${method}()`,
+              get context() {
+                return `'${objInfo.value}'.${method}()`;
+              },
               object: {
                 value: objInfo.value,
                 tracked: true
@@ -59,14 +61,12 @@ module.exports = function(core) {
                 value: result,
                 tracked: true
               },
-              args: [],
               tags: objInfo.tags,
               history,
               source: 'O',
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });

package/lib/dataflow/propagation/install/string/html-methods.js CHANGED Viewed

@@ -62,7 +62,7 @@ module.exports = function(core) {
         patchType,
         usePost: true,
         post(data) {
-          const { args, obj, result, hooked, orig } = data;
+          const { args, obj, result, hooked } = data;
           if (!result || !getPropagatorContext()) return;
           const objInfo = tracker.getData(obj);
@@ -79,7 +79,9 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: 'prototype.anchor',
-              context: `${inspect(objInfo?.value) || String(obj)}.anchor(${argInfo ? argInfo.value : arg})`,
+              get context() {
+                return `${inspect(objInfo?.value) || String(obj)}.anchor(${argInfo ? argInfo.value : arg})`;
+              },
               object: {
                 value: objInfo?.value || String(obj),
                 tracked: !!objInfo
@@ -97,7 +99,6 @@ module.exports = function(core) {
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });
@@ -119,7 +120,7 @@ module.exports = function(core) {
           name,
           patchType,
           post(data) {
-            const { obj, result, hooked, orig } = data;
+            const { obj, result, hooked } = data;
             if (!result || !getPropagatorContext()) return;
             const objInfo = tracker.getData(obj);
@@ -141,14 +142,12 @@ module.exports = function(core) {
                 value: result,
                 tracked: true
               },
-              args: [],
               tags: adjustTags(method, objInfo.tags),
               history,
               source: 'O',
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });

package/lib/dataflow/propagation/install/string/index.js CHANGED Viewed

@@ -47,7 +47,7 @@ module.exports = function(core) {
       patchType,
       usePerf: 'sync',
       pre(data) {
-        const { args: origArgs, hooked, orig } = data;
+        const { args: origArgs, hooked } = data;
         if (
           !origArgs.length ||
           typeof origArgs[0] !== 'string' ||
@@ -64,7 +64,9 @@ module.exports = function(core) {
           name,
           moduleName: 'String',
           methodName: `prototype.${methodName}`,
-          context: `'${objInfo.value}'.${methodName}(${args[0].value})`,
+          get context() {
+            return `'${objInfo.value}'.${methodName}(${args[0].value})`;
+          },
           history: [objInfo],
           object: {
             value: objInfo.value,
@@ -75,7 +77,6 @@ module.exports = function(core) {
           result: undefined,
           stacktraceOpts: {
             constructorOpt: hooked,
-            prependFrames: [orig]
           },
           source: 'P',
           target: 'P'

package/lib/dataflow/propagation/install/string/match-all.js CHANGED Viewed

@@ -40,15 +40,17 @@ module.exports = function(core) {
   }) {
     const tags = createSubsetTags(objInfo.tags, startIdx, match.length);
-    if (!tags) return;
+    if (!tags) return null;
-    const { arg, hooked, orig } = metadata;
+    const { arg, hooked } = metadata;
     return createPropagationEvent({
       name,
       moduleName: 'String',
       methodName: 'prototype.matchAll',
-      context: `'${objInfo.value}'.matchAll(${arg})`,
+      get context() {
+        return `'${objInfo.value}'.matchAll(${arg})`;
+      },
       history: [objInfo],
       object: {
         value: objInfo.value,
@@ -62,7 +64,6 @@ module.exports = function(core) {
       },
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig],
       },
       source: 'O',
       target: 'R',
@@ -76,7 +77,7 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         around(origFn, data) {
-          const { args, obj, hooked, orig } = data;
+          const { args, obj, hooked } = data;
           if (
             !obj ||
@@ -125,7 +126,7 @@ module.exports = function(core) {
             resValue.indices && (untrackedResult.indices = resValue.indices);
             let searchIdx = resValue.index;
-            const metadata = { arg: `${args[0]}`, hooked, orig };
+            const metadata = { arg: `${args[0]}`, hooked };
             for (let i = 0; i < resValue.length; i++) {
               let match = resValue[i];

package/lib/dataflow/propagation/install/string/match.js CHANGED Viewed

@@ -15,7 +15,6 @@
 'use strict';
-const { primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
 const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
 const { patchType } = require('../../common');
@@ -35,11 +34,11 @@ module.exports = function(core) {
   const name = 'String.prototype.match';
-  function getPropagationEvent(data, res, objInfo, start) {
-    const { args: origArgs, result, hooked, orig } = data;
+  function getPropagationEvent(data, res, objInfo, start, resultIdx) {
+    const { args: origArgs, result, hooked } = data;
     const tags = createSubsetTags(objInfo.tags, start, res.length);
-    if (!tags) return;
+    if (!tags) return null;
     const args = [
       {
@@ -52,7 +51,9 @@ module.exports = function(core) {
       name,
       moduleName: 'String',
       methodName: 'prototype.match',
-      context: `'${objInfo.value}'.match(${args[0].value})`,
+      get context() {
+        return `'${objInfo.value}'.match(${origArgs[0]})`;
+      },
       history: [{ ...objInfo }],
       object: {
         value: objInfo.value,
@@ -61,12 +62,12 @@ module.exports = function(core) {
       args,
       tags,
       result: {
-        value: ArrayPrototypeJoin.call(result),
+        // this is not tracked yet
+        value: result[resultIdx],
         tracked: false,
       },
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig],
       },
       source: 'O',
       target: 'R',
@@ -125,12 +126,12 @@ module.exports = function(core) {
             if (res === obj) {
               res = objInfo.value;
-              event = getPropagationEvent(data, res, objInfo, 0);
+              event = getPropagationEvent(data, res, objInfo, 0, i);
             } else {
               const start = obj.indexOf(res, idx);
               idx += hasCaptureGroups && i === 0 ? 0 : res.length;
-              event = getPropagationEvent(data, res, objInfo, start);
+              event = getPropagationEvent(data, res, objInfo, start, i);
             }
             if (!event) continue;

package/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -237,7 +237,7 @@ module.exports = function(core) {
             data.obj === result
           ) return result;
-          const { obj, args: origArgs, hooked, orig } = data;
+          const { obj, args: origArgs, hooked } = data;
           const args = [];
           if (tracker.getData(origArgs[0])) {
             args.push({ tracked: true, value: origArgs[0] });
@@ -254,7 +254,9 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.replace',
-            context: `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+            get context() {
+              return `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+            },
             history: Array.from(data._history),
             object: {
               value: obj,
@@ -268,16 +270,13 @@ module.exports = function(core) {
             tags: data._accumTags,
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             },
             source: data._objInfo ? (data._history.size > 1 ? 'A' : 'O') : 'P',
             target: 'R',
           });
-          if (!event) return;
+          if (!event) return null;
           const { extern } = tracker.track(result, event);
           return extern;
         }
       });

package/lib/dataflow/propagation/install/string/slice.js CHANGED Viewed

@@ -55,7 +55,7 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         post(data) {
-          const { name, args: origArgs, obj, result, hooked, orig } = data;
+          const { name, args: origArgs, obj, result, hooked } = data;
           if (!result || !getPropagatorContext()) return;
           const objInfo = tracker.getData(obj);
@@ -80,7 +80,9 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.slice',
-            context: `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`,
+            get context() {
+              return `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`;
+            },
             history: [objInfo],
             object: {
               value: obj,
@@ -96,7 +98,6 @@ module.exports = function(core) {
             target: 'R',
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             }
           });