npm - @contrast/assess - Versions diffs - 1.52.0 → 1.54.0 - Mend

@contrast/assess 1.52.0 → 1.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/lib/dataflow/propagation/install/string/split.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const { primordials: { ArrayPrototypeJoin, RegExpPrototypeExec } } = require('@contrast/common');
-const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
+const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -46,7 +46,7 @@ module.exports = function(core) {
             next();
         },
         post(data) {
-          const { name, args: origArgs, obj, result, hooked, orig } = data;
+          const { name, args: origArgs, obj, result, hooked } = data;
           const splitterIsRx = origArgs[0] instanceof RegExp;
           if (
@@ -81,7 +81,7 @@ module.exports = function(core) {
             if (tags) {
               const metadata = makeEvent({
                 result: { tracked: true, value: result[i] },
-                tags: tags,
+                tags,
               });
               if (metadata) {
@@ -115,7 +115,7 @@ module.exports = function(core) {
                 if (tags) {
                   const metadata = makeEvent({
                     result: { tracked: true, value: result[i] },
-                    tags: tags,
+                    tags,
                   });
                   eventFactory.createdEvents.add(metadata);
                   const { extern } = tracker.track(result[i], metadata);
@@ -137,28 +137,28 @@ module.exports = function(core) {
               const args = origArgs.map((arg) => {
                 const argInfo = tracker.getData(arg);
                 return argInfo ?
-                  { tracked: true, value: argInfo.value } :
-                  { tracked: false, value: `'${arg}'` };
+                    { tracked: true, value: argInfo.value } :
+                    { tracked: false, value: splitterIsRx ? arg.toString() : `'${arg}'` };
               });
               _event = eventFactory.createPropagationEvent({
                 name,
                 moduleName: 'String',
                 methodName: 'prototype.split',
-                context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+                get context() {
+                  return `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+                },
                 history: [objInfo],
                 object: {
                   value: obj,
                   tracked: true,
                 },
                 args,
-                tags: {},
                 result: {
-                  value: getAdjustedUntrackedValue(result),
-                  tracked: false
+                  value: `${result}`,
+                  tracked: true
                 },
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig]
                 },
                 source: 'O',
                 target: 'R'

package/lib/dataflow/propagation/install/string/substring.js CHANGED Viewed

@@ -63,7 +63,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { obj, args: origArgs, result, name, hooked, orig } = data;
+            const { obj, args: origArgs, result, name, hooked } = data;
             if (!result || !getPropagatorContext()) return;
             const objInfo = tracker.getData(obj);
@@ -90,7 +90,9 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: 'prototype.substring',
-              context: `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+              get context() {
+                return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+              },
               history: [objInfo],
               object: {
                 value: obj,
@@ -105,7 +107,6 @@ module.exports = function(core) {
               source: 'O',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
               target: 'R',
             });

package/lib/dataflow/propagation/install/string/trim.js CHANGED Viewed

@@ -30,7 +30,7 @@ module.exports = function(core) {
   function createPostHook(methodName, presetStart) {
     return function(data) {
-      const { obj, result, hooked, orig } = data;
+      const { obj, result, hooked } = data;
       if (!result?.length || !getPropagatorContext()) {
         return;
@@ -56,7 +56,9 @@ module.exports = function(core) {
         name: `String.prototype.${methodName}`,
         moduleName: 'String',
         methodName: `prototype.${methodName}`,
-        context: `'${obj}'.${methodName}()`,
+        get context() {
+          return `'${obj}'.${methodName}()`;
+        },
         history,
         object: {
           value: obj,
@@ -69,7 +71,6 @@ module.exports = function(core) {
         tags: newTags,
         stacktraceOpts: {
           constructorOpt: hooked,
-          prependFrames: [orig]
         },
         source: 'O',
         target: 'R'

package/lib/dataflow/propagation/install/unescape.js CHANGED Viewed

@@ -17,7 +17,7 @@
 const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../tag-utils');
-const { patchType, createObjectLabel } = require('../common');
+const { patchType, globalObject: object } = require('../common');
 module.exports = function(core) {
   const {
@@ -38,29 +38,26 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         post(data) {
-          const { args, result, hooked, orig } = data;
+          const { args, result, hooked } = data;
           if (!result || !args[0] || !getPropagatorContext()) return;
           const argInfo = tracker.getData(args[0]);
           if (!argInfo) return;
           const resultInfo = tracker.getData(result);
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
           delete newTags[WEAK_URL_ENCODED];
           if (!Object.keys(newTags).length) return;
           const event = createPropagationEvent({
             name,
             moduleName: 'global',
             methodName: 'unescape',
-            context: `unescape('${argInfo.value}')`,
-            object: {
-              value: createObjectLabel('global'),
-              tracked: false
+            get context() {
+              return `unescape('${argInfo.value}')`;
             },
+            object,
             result: {
               value: resultInfo ? resultInfo.value : result,
               tracked: true
@@ -73,18 +70,13 @@ module.exports = function(core) {
             removedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             },
           });
           if (!event) return;
-          if (resultInfo) {
-            Object.assign(resultInfo, event);
-          }
+          if (resultInfo) Object.assign(resultInfo, event);
           const { extern } = tracker.track(result, event);
           if (extern) {
             data.result = extern;
           }

package/lib/dataflow/propagation/install/url/domain-parsers.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const { createFullLengthCopyTags } = require('../../../tag-utils');
-const { patchType, createModuleLabel } = require('../../common');
+const { patchType } = require('../../common');
 module.exports = function(core) {
   const {
@@ -40,7 +40,7 @@ module.exports = function(core) {
             patchType,
             usePerf: 'sync',
             post(data) {
-              const { args, result, hooked, orig } = data;
+              const { args, result, hooked } = data;
               if (!result || !args[0] || !getPropagatorContext()) return;
               const argInfo = tracker.getData(args[0]);
@@ -54,9 +54,11 @@ module.exports = function(core) {
                 name,
                 moduleName: 'url',
                 methodName: method,
-                context: `url.${method}('${argInfo.value}')`,
+                get context() {
+                  return `url.${method}('${argInfo.value}')`;
+                },
                 object: {
-                  value: createModuleLabel('url', version),
+                  value: 'url',
                   tracked: false
                 },
                 result: {
@@ -70,7 +72,6 @@ module.exports = function(core) {
                 target: 'R',
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig]
                 },
               });

package/lib/dataflow/propagation/install/url/parse.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { patchType } = require('../../common');
+const { createSubsetTags } = require('../../../tag-utils');
 module.exports = function(core) {
   const {
@@ -51,12 +52,14 @@ module.exports = function(core) {
     ]
   ];
-  function getPropagationEvent(argInfo, partInfo, { name, result, hooked, orig }, parseQueryString = false) {
+  function getPropagationEvent(argInfo, { value, tags }, { name, result, hooked, orig }, parseQueryString = false) {
     return createPropagationEvent({
       name,
       moduleName: 'url',
       methodName: 'parse',
-      context: `url.parse('${argInfo.value += parseQueryString ? "', true" : ''})`,
+      get context() {
+        return `url.parse('${argInfo.value += parseQueryString ? "', true" : ''})`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -65,14 +68,13 @@ module.exports = function(core) {
         value: inspect(result),
         tracked: true
       },
-      args: [{ value: partInfo.value, tracked: true }],
-      tags: partInfo.tags,
-      history: [{ ...partInfo }],
+      args: [{ value, tracked: true }],
+      tags,
+      history: [{ ...argInfo }],
       source: 'P',
       target: 'R',
       stacktraceOpts: {
         constructorOpt: hooked,
-        prependFrames: [orig]
       },
     });
   }
@@ -80,7 +82,6 @@ module.exports = function(core) {
   return core.assess.dataflow.propagation.urlInstrumentation.parse = {
     install() {
       depHooks.resolve({ name: 'url', version: '*' }, (url) => {
         const name = 'url.parse';
         patcher.patch(url, 'parse', {
@@ -98,7 +99,7 @@ module.exports = function(core) {
             const metadata = { name, result, hooked, orig };
             const traverse = function(href, url, keys, idx = 0) {
-              let substr = href;
+              const substr = href;
               keys.forEach((key) => {
                 if (typeof key === 'string') {
                   const part = result[key];
@@ -117,20 +118,19 @@ module.exports = function(core) {
                       });
                       return;
                     } else {
-                      const index = href.indexOf(part, idx - 1);
-                      substr = href.substring(index, index + part.length);
+                      const index = url.href.indexOf(part, idx - 1);
+                      const substrTags = createSubsetTags(argInfo.tags, index, part.length);
+                      if (!substrTags) return;
                       idx += part.length;
-                    }
-                    const partInfo = tracker.getData(substr);
-                    if (!partInfo) return;
+                      const event = getPropagationEvent(argInfo, { value: part, tags: substrTags }, metadata);
-                    const event = getPropagationEvent(argInfo, partInfo, metadata);
+                      if (!event) return;
-                    if (!event) return;
+                      const { extern } = tracker.track(part, event);
-                    Object.assign(partInfo, event);
-                    result[key] = substr;
+                      if (extern) result[key] = extern;
+                    }
                   }
                 } else {
                   traverse(substr, url, key, 0);

package/lib/dataflow/propagation/install/url/searchParams.js CHANGED Viewed

@@ -15,8 +15,8 @@
 'use strict';
-const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll } } = require('@contrast/common');
-const { createAppendTags } = require('../../../tag-utils');
+const { isString, primordials: { StringPrototypeConcat, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeSubstring } } = require('@contrast/common');
+const { createAppendTags, createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 module.exports = function(core) {
@@ -31,12 +31,14 @@ module.exports = function(core) {
     }
   } = core;
-  function getPropagationEvent(params, paramInfo, data) {
+  function getPropagationEvent(params, tags, data, history) {
     return createPropagationEvent({
       name: 'url.URLSearchParams',
       moduleName: 'url',
       methodName: 'URLSearchParams',
-      context: `url.URLSearchParams('${inspect(params)}')`,
+      get context() {
+        return `url.URLSearchParams('${inspect(params)}')`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -46,13 +48,12 @@ module.exports = function(core) {
         tracked: true
       },
       args: [{ value: inspect(params), tracked: false }],
-      tags: paramInfo.tags,
-      history: [paramInfo],
+      tags,
+      history,
       source: 'P',
       target: 'R',
       stacktraceOpts: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
     });
   }
@@ -73,28 +74,39 @@ module.exports = function(core) {
             const [params] = args;
             if (isString(params)) {
-              params.split('&').forEach((query) => {
+              const paramsInfo = tracker.getData(params);
+              if (!paramsInfo) return;
+              let idx = 0;
+              StringPrototypeSplit.call(params, '&').forEach((query) => {
                 const endIdx = query.indexOf('=');
                 // we don't want to create a propagation event by splitting off
                 // the '?'. so if there start at index 1 else 0.
-                const key = query.substring(query[0] === '?' ? 1 : 0, endIdx);
-                const param = query.substring(endIdx + 1, query.length);
-                const keyInfo = tracker.getData(key);
-                const paramInfo = tracker.getData(param);
-                if (keyInfo) {
-                  const event = getPropagationEvent(params, keyInfo, data);
-                  if (event) Object.assign(keyInfo, event);
+                const keyIdx = query[0] === '?' ? 1 : 0;
+                const key = StringPrototypeSubstring.call(query, keyIdx, endIdx);
+                const param = StringPrototypeSubstring.call(query, endIdx + 1, query.length);
+                idx += params.indexOf(query, idx);
+                const keyTags = createSubsetTags(paramsInfo.tags, idx + keyIdx, key.length);
+                const paramTags = createSubsetTags(paramsInfo.tags, key.length + idx + keyIdx + 1, param.length);
+                if (keyTags) {
+                  const event = getPropagationEvent(params, keyTags, data, [paramsInfo]);
+                  if (event) {
+                    const { extern } = tracker.track(key, event);
+                    if (extern) {
+                      result.delete(key);
+                      result.set(extern, param);
+                    }
+                  }
                 }
-                if (paramInfo) {
-                  const event = getPropagationEvent(params, paramInfo, data);
-                  if (event) Object.assign(paramInfo, event);
+                if (paramTags) {
+                  const event = getPropagationEvent(params, paramTags, data, [paramsInfo]);
+                  if (event) {
+                    const { extern } = tracker.track(param, event);
+                    if (extern) result.set(key, extern);
+                  }
                 }
-                if (keyInfo) result.delete(key);
-                result.set(key, param);
               });
             }
@@ -103,7 +115,7 @@ module.exports = function(core) {
                 const paramInfo = tracker.getData(params[key]);
                 if (!paramInfo) return;
-                const event = getPropagationEvent(params, paramInfo, data);
+                const event = getPropagationEvent(params, paramInfo.tags, data, [paramInfo]);
                 if (!event) return;
                 Object.assign(paramInfo, event);
@@ -167,7 +179,6 @@ module.exports = function(core) {
                 if (Object.keys(finalTags).length) {
                   const event = createPropagationEvent({
-                    args: [],
                     context: `${inspect(params)}.toString()`,
                     moduleName: 'url',
                     methodName: 'URLSearchParams.toString',

package/lib/dataflow/propagation/install/url/url.js CHANGED Viewed

@@ -62,7 +62,9 @@ module.exports = function(core) {
       name: 'url.URL',
       moduleName: 'url',
       methodName: 'URL',
-      context: `url.URL('${strInfo.value}')`,
+      get context() {
+        return `url.URL('${strInfo.value}')`;
+      },
       object: {
         value: 'url',
         tracked: false
@@ -78,7 +80,6 @@ module.exports = function(core) {
       target: 'R',
       stacktraceOpts: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
     });
   }

package/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -40,7 +40,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { args, result, hooked, orig } = data;
+            const { args, result, hooked } = data;
             if (!result || !args[0] || !isString(args[0]) || !getPropagatorContext()) return;
             let idx = 0;
@@ -114,7 +114,9 @@ module.exports = function(core) {
               name,
               moduleName: 'util',
               methodName: 'format',
-              context: `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`,
+              get context() {
+                return `util.format(${eventArgs.map((arg) => `'${arg.value}'`)})`;
+              },
               object: {
                 value: 'util',
                 tracked: false
@@ -130,7 +132,6 @@ module.exports = function(core) {
               target: 'R',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
             });

package/lib/dataflow/propagation/install/validator/hooks.js CHANGED Viewed

@@ -53,7 +53,6 @@ module.exports = function (core) {
       },
       stacktraceData: {
         constructorOpt: data.hooked,
-        prependFrames: [data.orig]
       },
       source: 'P1',
       target

package/lib/dataflow/sinks/install/eval.js CHANGED Viewed

@@ -104,7 +104,9 @@ module.exports = function (core) {
           if (isArgVulnerable) {
             const event = createSinkEvent({
               name: 'eval',
-              context: `eval('${strInfo.value}')`,
+              get context() {
+                return `eval('${strInfo.value}')`;
+              },
               history: [strInfo],
               object: {
                 value: 'global',

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js CHANGED Viewed

@@ -86,7 +86,7 @@ module.exports = function(core) {
   unvalidatedRedirect.install = function() {
     const name = 'fastify.Reply.prototype.redirect';
-    depHooks.resolve({ name: 'fastify', version: '>=3 <5', file: 'lib/reply' }, (Reply) => {
+    depHooks.resolve({ name: 'fastify', version: '>=3 <6', file: 'lib/reply' }, (Reply) => {
       patcher.patch(Reply.prototype, 'redirect', {
         name,
         patchType,

package/lib/dataflow/sinks/install/function.js CHANGED Viewed

@@ -113,10 +113,9 @@ module.exports = function (core) {
             });
             const event = createSinkEvent({
               name,
-              context: `${name}(${ArrayPrototypeJoin.call(
-                args.map((a) => a.inspectedValue),
-                ', '
-              )})`,
+              get context() {
+                return `${name}(${ArrayPrototypeJoin.call(args.map((a) => a.inspectedValue), ', ')})`;
+              },
               history: [strInfo],
               object: {
                 value: 'global.ContrastMethods',

package/lib/dataflow/sinks/install/marsdb.js CHANGED Viewed

@@ -105,7 +105,9 @@ module.exports = function (core) {
         const sinkEvent = createSinkEvent({
           args,
-          context: `marsdb.Collection.${method}(${args.map((a) => a.value)})`,
+          get context() {
+            return `marsdb.Collection.${method}(${args.map((a) => a.value)})`;
+          },
           moduleName: 'marsdb',
           methodName: `Collection.prototype.${method}`,
           history: [strInfo],

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -337,7 +337,9 @@ module.exports = function (core) {
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
-          context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
+          get context() {
+            return `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`;
+          },
           history: [vulnInfo.strInfo],
           object: {
             tracked: false,

package/lib/dataflow/sinks/install/mssql.js CHANGED Viewed

@@ -26,7 +26,6 @@ const {
   Rule: { SQL_INJECTION: ruleId },
   isString,
 } = require('@contrast/common');
-const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
 const safeTags = [
@@ -75,10 +74,12 @@ module.exports = function (core) {
         name,
         moduleName: 'mssql',
         methodName: `${obj}.prototype.${method}`,
-        context: `mssql.${obj}.${method}('${strInfo.value}')`,
+        get context() {
+          return `mssql.${obj}.${method}('${strInfo.value}')`;
+        },
         history: [strInfo],
         object: {
-          value: `[${createModuleLabel('mssql', version)}].${obj}`,
+          value: `mssql.${obj}`,
           tracked: false,
         },
         args: [

package/lib/dataflow/sinks/install/mysql.js CHANGED Viewed

@@ -91,7 +91,9 @@ module.exports = function(core) {
       name: `${module}/${file}`,
       moduleName: module,
       methodName: `prototype.${method}`,
-      context: `${module}.${method}(${inspect(data.args[0])})`,
+      get context() {
+        return `${module}.${method}(${inspect(data.args[0])})`;
+      },
       history: [strInfo],
       object: {
         value: `${module}.${obj}`,

package/lib/dataflow/sinks/install/restify.js CHANGED Viewed

@@ -186,7 +186,9 @@ module.exports = function(core) {
                   const { tags, args } = getAdjustedValues(data.args, vulns, vulnArgIdx);
                   const sinkEvent = createSinkEvent({
                     args,
-                    context: `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`,
+                    get context() {
+                      return `res.redirect(${ArrayPrototypeJoin.call(args.map((a) => a.value))})`;
+                    },
                     history,
                     tags,
                     source: 'P0',

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -74,10 +74,12 @@ module.exports = function(core) {
       name,
       moduleName: 'sqlite3',
       methodName: `Database.prototype.${method}`,
-      context: `db.${method}('${strInfo.value}')`,
+      get context() {
+        return `db.${method}('${strInfo.value}')`;
+      },
       history: [strInfo],
       object: {
-        value: '[Module<sqlite3>].Database',
+        value: 'sqlite3.Database',
         tracked: false,
       },
       args: [

package/lib/dataflow/sinks/install/vm.js CHANGED Viewed

@@ -205,10 +205,12 @@ module.exports = function (core) {
     if (vulnerableArg) {
       const event = createSinkEvent({
         name,
-        context: `${name}(${ArrayPrototypeJoin.call(
-          argsInfo.map((a) => a.ctxValue),
-          ', '
-        )})`,
+        get context() {
+          return `${name}(${ArrayPrototypeJoin.call(
+            argsInfo.map((a) => a.ctxValue),
+            ', '
+          )})`;
+        },
         history: [vulnerableArg.strInfo],
         object: {
           value: methodPath.includes('prototype')

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,6 +19,7 @@ const {
   InputType,
   DataflowTag,
   isString,
+  empties,
   primordials: {
     ArrayPrototypeJoin,
     StringPrototypeToLowerCase
@@ -43,8 +44,6 @@ module.exports = Core.makeComponent({
     const logger = core.logger.child({ name: 'contrast:sources' });
-    const emptyStack = Object.freeze([]);
     sources.createTags = function createTags({ inputType, fieldName = '', value, tagNames }) {
       if (!value?.length) {
         return null;
@@ -70,7 +69,7 @@ module.exports = Core.makeComponent({
     sources.createStacktrace = function(stacktraceOpts) {
       return config.assess.stacktraces === 'NONE' || config.assess.stacktraces === 'SINK'
-        ? emptyStack
+        ? empties.ARRAY
         : createSnapshot(stacktraceOpts)();
     };