npm - @contrast/assess - Versions diffs - 1.52.0 → 1.54.0 - Mend

@contrast/assess 1.52.0 → 1.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -31,19 +31,19 @@ module.exports = function (core) {
   const source = sources.fastifyInstrumentation.fastify = {
     install() {
-      depHooks.resolve({ name: 'fastify', version: '>=3.2.0 <5' }, (fastify) => patcher.patch(fastify, {
+      depHooks.resolve({ name: 'fastify', version: '>=3.2.0 <6' }, (fastify) => patcher.patch(fastify, {
         name: 'fastify.constructor',
         patchType,
         post({ result: server, funcKey }) {
           server.addHook('preValidation', function preValidationHandler(request, reply, done) {
+            const sourceContext = getSourceContext();
+            if (!sourceContext) return done();
             const bodyType = request?.headers?.['content-type']?.includes('/json')
               ? InputType.JSON_VALUE
               : typeof request.body == 'object'
                 ? InputType.PARAMETER_VALUE
                 : InputType.BODY;
-            const sourceContext = getSourceContext();
-            if (!sourceContext) return;
             [
               { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },
@@ -71,7 +71,7 @@ module.exports = function (core) {
               }
             });
-            done();
+            return done();
           });
         },
       }));

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { empties, primordials: { StringPrototypeSplit } } = require('@contrast/common');
+const { empties, primordials: { StringPrototypeSplit, StringPrototypeSubstr } } = require('@contrast/common');
 //
 // This module implements tag range manipulation functions. There are generally
@@ -536,6 +536,19 @@ function getAdjustedUntrackedValue(origValue) {
   return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof origValue);
 }
+/**
+ * Truncation spec: https://github.com/Contrast-Security-Inc/assess-specifications/blob/master/vulnerability/truncate-event-snapshots.md
+ * While the spec calls to truncate the middle of strings, we're going to just chop off the end.
+ * This way we don't have to recalculate all of the tag ranges to adjust for truncating.
+ * @param {string} str input string to be truncated
+ * @param {number} len
+ * @returns {string}
+ */
+function truncateStringValue(str, len = 103) {
+  if (str.length <= len) return str;
+  return `${StringPrototypeSubstr.call(str, 0, len)}...`;
+}
 module.exports = {
   createSubsetTags,
   createAppendTags,
@@ -546,4 +559,5 @@ module.exports = {
   createOverlappingTags,
   createEscapeTagRanges,
   getAdjustedUntrackedValue,
+  truncateStringValue,
 };

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -37,10 +37,6 @@ module.exports = function tracker(core) {
     return objMap.get(value) || null;
   }
-  function isTracked(value) {
-    return distringuish.isExternal(value);
-  }
   function track(value, metadata) {
     let ret = Object.create(null);
@@ -152,6 +148,5 @@ module.exports = function tracker(core) {
     untrack,
     getData,
     getInfo: getData,
-    isTracked,
   };
 };

package/lib/event-factory.js CHANGED Viewed

@@ -45,7 +45,7 @@ module.exports = Core.makeComponent({
     eventFactory.createdEvents = new WeakSet();
-    eventFactory.createSourceEvent = function(data = {}) {
+    eventFactory.createSourceEvent = function(data) {
       if (!data.result?.value) {
         logger.debug(SOURCE_EVENT_MSG, `invalid result: ${data.name}`);
         return null;

package/lib/session-configuration/install/express-session.js CHANGED Viewed

@@ -69,7 +69,6 @@ module.exports = function (core) {
               value: optionsString,
             }],
             context: `expressSession(${optionsString})`,
-            history: [],
             name: 'express.hookedSessionConstructor',
             moduleName: 'express-session',
             methodName: '',

package/lib/session-configuration/install/fastify-cookie.js CHANGED Viewed

@@ -59,7 +59,6 @@ module.exports = function (core) {
                 value: displayArg
               }],
               context: `fastifyCookie(${displayArg})`,
-              history: [],
               name: 'fastifyCookie',
               moduleName: '@fastify/cookie',
               methodName: '',
@@ -71,8 +70,6 @@ module.exports = function (core) {
                 tracked: false,
               },
               source: 'P0',
-              stack: [],
-              tags: {},
               framework: '@fastify/cookie',
             });

package/lib/session-configuration/install/hapi.js CHANGED Viewed

@@ -56,7 +56,6 @@ module.exports = function (core) {
                     value: inspect(options),
                   }],
                   context: `state(${inspect(data.args)})`,
-                  history: [],
                   name: `hapi.${server}.state`,
                   moduleName: 'hapi',
                   methodName: '',

package/lib/session-configuration/install/koa.js CHANGED Viewed

@@ -72,7 +72,6 @@ module.exports = function (core) {
                         value: displayArg
                       }],
                       context: `ctx.cookies.set(${displayArg})`,
-                      history: [],
                       name: 'koaCookie',
                       moduleName: 'koa',
                       methodName: '',
@@ -84,8 +83,6 @@ module.exports = function (core) {
                         tracked: false,
                       },
                       source: 'P',
-                      stack: [],
-                      tags: {},
                       framework: 'koa',
                     });
                     if (!httpOnly) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.52.0",
+  "version": "1.54.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.45.0",
-    "@contrast/core": "1.50.0",
-    "@contrast/dep-hooks": "1.19.0",
+    "@contrast/config": "1.46.0",
+    "@contrast/core": "1.51.0",
+    "@contrast/dep-hooks": "1.20.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.29.0",
-    "@contrast/logger": "1.23.0",
-    "@contrast/patcher": "1.22.0",
-    "@contrast/rewriter": "1.26.0",
-    "@contrast/route-coverage": "1.40.0",
-    "@contrast/scopes": "1.20.0",
+    "@contrast/instrumentation": "1.30.0",
+    "@contrast/logger": "1.24.0",
+    "@contrast/patcher": "1.23.0",
+    "@contrast/rewriter": "1.27.0",
+    "@contrast/route-coverage": "1.42.0",
+    "@contrast/scopes": "1.21.0",
     "semver": "^7.6.0"
   }
 }