@contrast/assess 1.53.0 → 1.54.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/crypto-analysis/install/math.js +0 -1
- package/lib/dataflow/propagation/common.js +6 -6
- package/lib/dataflow/propagation/install/JSON/parse.js +7 -3
- package/lib/dataflow/propagation/install/JSON/stringify.js +7 -6
- package/lib/dataflow/propagation/install/array-prototype-join.js +5 -8
- package/lib/dataflow/propagation/install/buffer.js +4 -4
- package/lib/dataflow/propagation/install/contrast-methods/add.js +42 -38
- package/lib/dataflow/propagation/install/contrast-methods/string.js +4 -2
- package/lib/dataflow/propagation/install/contrast-methods/tag.js +3 -1
- package/lib/dataflow/propagation/install/decode-uri-component.js +5 -7
- package/lib/dataflow/propagation/install/ejs/escape-xml.js +4 -3
- package/lib/dataflow/propagation/install/ejs/template.js +1 -1
- package/lib/dataflow/propagation/install/encode-uri.js +5 -7
- package/lib/dataflow/propagation/install/escape-html.js +4 -3
- package/lib/dataflow/propagation/install/escape.js +5 -7
- package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.js +4 -3
- package/lib/dataflow/propagation/install/joi/boolean.js +1 -3
- package/lib/dataflow/propagation/install/joi/expression.js +1 -3
- package/lib/dataflow/propagation/install/joi/number.js +1 -3
- package/lib/dataflow/propagation/install/joi/string-schema.js +2 -6
- package/lib/dataflow/propagation/install/joi/utils.js +2 -4
- package/lib/dataflow/propagation/install/joi/values.js +1 -3
- package/lib/dataflow/propagation/install/mongoose/schema-map.js +1 -3
- package/lib/dataflow/propagation/install/mongoose/schema-mixed.js +1 -3
- package/lib/dataflow/propagation/install/mongoose/schema-string.js +4 -5
- package/lib/dataflow/propagation/install/mustache-escape.js +4 -3
- package/lib/dataflow/propagation/install/mysql-connection-escape.js +9 -8
- package/lib/dataflow/propagation/install/path/basename.js +6 -7
- package/lib/dataflow/propagation/install/path/common.js +1 -0
- package/lib/dataflow/propagation/install/path/dirname.js +6 -8
- package/lib/dataflow/propagation/install/path/extname.js +8 -22
- package/lib/dataflow/propagation/install/path/format.js +6 -10
- package/lib/dataflow/propagation/install/path/join-and-resolve.js +7 -13
- package/lib/dataflow/propagation/install/path/normalize.js +8 -18
- package/lib/dataflow/propagation/install/path/parse.js +8 -18
- package/lib/dataflow/propagation/install/path/relative.js +8 -15
- package/lib/dataflow/propagation/install/path/toNamespacedPath.js +7 -18
- package/lib/dataflow/propagation/install/pug/index.js +1 -1
- package/lib/dataflow/propagation/install/pug-runtime-escape.js +6 -5
- package/lib/dataflow/propagation/install/querystring/escape.js +3 -1
- package/lib/dataflow/propagation/install/querystring/parse.js +3 -2
- package/lib/dataflow/propagation/install/querystring/stringify.js +4 -4
- package/lib/dataflow/propagation/install/reg-exp-prototype-exec.js +4 -3
- package/lib/dataflow/propagation/install/sequelize/query-generator.js +0 -1
- package/lib/dataflow/propagation/install/sequelize/sql-string.js +16 -17
- package/lib/dataflow/propagation/install/sql-template-strings.js +6 -10
- package/lib/dataflow/propagation/install/string/concat.js +4 -4
- package/lib/dataflow/propagation/install/string/format-methods.js +4 -4
- package/lib/dataflow/propagation/install/string/html-methods.js +5 -6
- package/lib/dataflow/propagation/install/string/index.js +4 -3
- package/lib/dataflow/propagation/install/string/match-all.js +7 -6
- package/lib/dataflow/propagation/install/string/match.js +10 -9
- package/lib/dataflow/propagation/install/string/replace.js +5 -6
- package/lib/dataflow/propagation/install/string/slice.js +4 -3
- package/lib/dataflow/propagation/install/string/split.js +11 -11
- package/lib/dataflow/propagation/install/string/substring.js +4 -3
- package/lib/dataflow/propagation/install/string/trim.js +4 -3
- package/lib/dataflow/propagation/install/unescape.js +6 -14
- package/lib/dataflow/propagation/install/url/domain-parsers.js +6 -5
- package/lib/dataflow/propagation/install/url/parse.js +17 -17
- package/lib/dataflow/propagation/install/url/searchParams.js +36 -25
- package/lib/dataflow/propagation/install/url/url.js +3 -2
- package/lib/dataflow/propagation/install/util-format.js +4 -3
- package/lib/dataflow/propagation/install/validator/hooks.js +0 -1
- package/lib/dataflow/sinks/install/eval.js +3 -1
- package/lib/dataflow/sinks/install/function.js +3 -4
- package/lib/dataflow/sinks/install/marsdb.js +3 -1
- package/lib/dataflow/sinks/install/mongodb.js +3 -1
- package/lib/dataflow/sinks/install/mssql.js +4 -3
- package/lib/dataflow/sinks/install/mysql.js +3 -1
- package/lib/dataflow/sinks/install/restify.js +3 -1
- package/lib/dataflow/sinks/install/sqlite3.js +4 -2
- package/lib/dataflow/sinks/install/vm.js +6 -4
- package/lib/dataflow/sources/handler.js +2 -3
- package/lib/dataflow/sources/install/fastify/fastify.js +4 -4
- package/lib/dataflow/tag-utils.js +15 -1
- package/lib/dataflow/tracker.js +0 -5
- package/lib/event-factory.js +1 -1
- package/lib/session-configuration/install/express-session.js +0 -1
- package/lib/session-configuration/install/fastify-cookie.js +0 -3
- package/lib/session-configuration/install/hapi.js +0 -1
- package/lib/session-configuration/install/koa.js +0 -3
- package/package.json +10 -10
|
@@ -15,12 +15,12 @@
|
|
|
15
15
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
|
+
const globalObject = {
|
|
19
|
+
value: 'global',
|
|
20
|
+
tracked: false
|
|
21
|
+
};
|
|
22
|
+
|
|
18
23
|
module.exports = {
|
|
19
24
|
patchType: 'assess-dataflow-propagator',
|
|
20
|
-
|
|
21
|
-
return `Module<${name}@${version}>`;
|
|
22
|
-
},
|
|
23
|
-
createObjectLabel(name, id = '0001') {
|
|
24
|
-
return `Object<${name}@${id}>`;
|
|
25
|
-
}
|
|
25
|
+
globalObject
|
|
26
26
|
};
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
18
|
const { isString } = require('@contrast/common');
|
|
19
|
-
const { createSubsetTags } = require('../../../tag-utils');
|
|
19
|
+
const { createSubsetTags, truncateStringValue } = require('../../../tag-utils');
|
|
20
20
|
const { patchType } = require('../../common');
|
|
21
21
|
const { getKeyValueIndices } = require('./parse-fn');
|
|
22
22
|
|
|
@@ -68,8 +68,13 @@ module.exports = function (core) {
|
|
|
68
68
|
}
|
|
69
69
|
].filter(Boolean);
|
|
70
70
|
|
|
71
|
+
if (!data.truncatedArg0)
|
|
72
|
+
data.truncatedArg0 = truncateStringValue(data.args[0]);
|
|
73
|
+
|
|
71
74
|
return createPropagationEvent({
|
|
72
|
-
context
|
|
75
|
+
get context() {
|
|
76
|
+
return `${method}(${eventArgs.map((arg, i) => i == 0 ? data.truncatedArg0 : `'${arg.value}'`)})`;
|
|
77
|
+
},
|
|
73
78
|
name: method,
|
|
74
79
|
history: [strInfo],
|
|
75
80
|
moduleName: 'JSON',
|
|
@@ -87,7 +92,6 @@ module.exports = function (core) {
|
|
|
87
92
|
tags: newTags,
|
|
88
93
|
stacktraceOpts: {
|
|
89
94
|
constructorOpt: data.hooked,
|
|
90
|
-
prependFrames: [data.orig],
|
|
91
95
|
},
|
|
92
96
|
source: 'P0',
|
|
93
97
|
target: 'R',
|
|
@@ -26,7 +26,7 @@ const {
|
|
|
26
26
|
}
|
|
27
27
|
} = require('@contrast/common');
|
|
28
28
|
const crypto = require('crypto');
|
|
29
|
-
const { createMergedTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
|
|
29
|
+
const { createMergedTags, getAdjustedUntrackedValue, truncateStringValue } = require('../../../tag-utils');
|
|
30
30
|
const { patchType } = require('../../common');
|
|
31
31
|
|
|
32
32
|
function makeCanary() {
|
|
@@ -227,7 +227,7 @@ module.exports = function(core) {
|
|
|
227
227
|
let tags = {};
|
|
228
228
|
const vulnerableSources = [];
|
|
229
229
|
if (!data.metadata?.propagate) {
|
|
230
|
-
return
|
|
230
|
+
return;
|
|
231
231
|
}
|
|
232
232
|
|
|
233
233
|
const { metadata } = data;
|
|
@@ -243,10 +243,12 @@ module.exports = function(core) {
|
|
|
243
243
|
}
|
|
244
244
|
|
|
245
245
|
data.result = ret;
|
|
246
|
-
|
|
246
|
+
const truncatedResult = truncateStringValue(ret);
|
|
247
247
|
const method = 'JSON.stringify';
|
|
248
248
|
const event = createPropagationEvent({
|
|
249
|
-
context
|
|
249
|
+
get context() {
|
|
250
|
+
return `${method}(${truncatedResult})`;
|
|
251
|
+
},
|
|
250
252
|
name: method,
|
|
251
253
|
moduleName: 'JSON',
|
|
252
254
|
methodName: 'stringify',
|
|
@@ -272,13 +274,12 @@ module.exports = function(core) {
|
|
|
272
274
|
})
|
|
273
275
|
].filter(Boolean),
|
|
274
276
|
result: {
|
|
275
|
-
value:
|
|
277
|
+
value: truncatedResult,
|
|
276
278
|
tracked: true
|
|
277
279
|
},
|
|
278
280
|
tags,
|
|
279
281
|
stacktraceOpts: {
|
|
280
282
|
constructorOpt: data.hooked,
|
|
281
|
-
prependFrames: [data.orig]
|
|
282
283
|
},
|
|
283
284
|
source: vulnerableSources.length === 1 ? vulnerableSources[0] : 'P',
|
|
284
285
|
target: 'R',
|
|
@@ -23,7 +23,6 @@ module.exports = function(core) {
|
|
|
23
23
|
const {
|
|
24
24
|
patcher,
|
|
25
25
|
assess: {
|
|
26
|
-
inspect,
|
|
27
26
|
getPropagatorContext,
|
|
28
27
|
eventFactory: { createPropagationEvent },
|
|
29
28
|
dataflow: { tracker }
|
|
@@ -70,7 +69,7 @@ module.exports = function(core) {
|
|
|
70
69
|
patchType,
|
|
71
70
|
usePerf: 'sync',
|
|
72
71
|
post(data) {
|
|
73
|
-
const { args: origArgs, obj, result, hooked
|
|
72
|
+
const { args: origArgs, obj, result, hooked } = data;
|
|
74
73
|
if (!result || !getPropagatorContext()) return;
|
|
75
74
|
|
|
76
75
|
const resultInfo = tracker.getData(result);
|
|
@@ -80,10 +79,9 @@ module.exports = function(core) {
|
|
|
80
79
|
const initHistory = delimiterInfo ? new Set([delimiterInfo]) : new Set();
|
|
81
80
|
const { newTags, newHistory: history } = accumulateTags(obj, {}, 0, initHistory, delimiterLength, delimiterInfo?.tags);
|
|
82
81
|
const object = {
|
|
83
|
-
value:
|
|
82
|
+
value: ArrayPrototypeJoin.call(obj),
|
|
84
83
|
tracked: false
|
|
85
84
|
};
|
|
86
|
-
|
|
87
85
|
const args = [{
|
|
88
86
|
value: delimiterInfo ? delimiterInfo.value : delimiter,
|
|
89
87
|
tracked: !!delimiterInfo
|
|
@@ -94,7 +92,9 @@ module.exports = function(core) {
|
|
|
94
92
|
name,
|
|
95
93
|
moduleName: 'Array',
|
|
96
94
|
methodName: 'prototype.join',
|
|
97
|
-
context
|
|
95
|
+
get context() {
|
|
96
|
+
return `${object.value}.join('${args[0].value || ','}'})`;
|
|
97
|
+
},
|
|
98
98
|
object,
|
|
99
99
|
result: {
|
|
100
100
|
value: resultInfo ? resultInfo.value : result,
|
|
@@ -107,10 +107,8 @@ module.exports = function(core) {
|
|
|
107
107
|
target: 'R',
|
|
108
108
|
stacktraceOpts: {
|
|
109
109
|
constructorOpt: hooked,
|
|
110
|
-
prependFrames: [orig]
|
|
111
110
|
},
|
|
112
111
|
});
|
|
113
|
-
|
|
114
112
|
if (!event) return;
|
|
115
113
|
|
|
116
114
|
if (resultInfo) {
|
|
@@ -118,7 +116,6 @@ module.exports = function(core) {
|
|
|
118
116
|
}
|
|
119
117
|
|
|
120
118
|
const { extern } = resultInfo || tracker.track(result, event);
|
|
121
|
-
|
|
122
119
|
if (extern) {
|
|
123
120
|
data.result = extern;
|
|
124
121
|
}
|
|
@@ -36,7 +36,7 @@ module.exports = function(core) {
|
|
|
36
36
|
patchType,
|
|
37
37
|
name,
|
|
38
38
|
post(data) {
|
|
39
|
-
const { hooked, obj,
|
|
39
|
+
const { hooked, obj, result } = data;
|
|
40
40
|
|
|
41
41
|
if (!result || !getPropagatorContext()) return;
|
|
42
42
|
|
|
@@ -49,7 +49,9 @@ module.exports = function(core) {
|
|
|
49
49
|
args: data.args.map((a) => ({ tracked: false, value: a })),
|
|
50
50
|
moduleName: 'Buffer',
|
|
51
51
|
methodName: 'prototype.toString',
|
|
52
|
-
context
|
|
52
|
+
get context() {
|
|
53
|
+
return 'buffer.toString()';
|
|
54
|
+
},
|
|
53
55
|
object: { tracked: true, value: 'Buffer' },
|
|
54
56
|
history: [bufferInfo],
|
|
55
57
|
name,
|
|
@@ -61,7 +63,6 @@ module.exports = function(core) {
|
|
|
61
63
|
tags: bufferInfo.tags,
|
|
62
64
|
stacktraceOpts: {
|
|
63
65
|
constructorOpt: hooked,
|
|
64
|
-
prependFrames: [orig]
|
|
65
66
|
},
|
|
66
67
|
target: 'R',
|
|
67
68
|
});
|
|
@@ -122,7 +123,6 @@ module.exports = function(core) {
|
|
|
122
123
|
tags: trkInfo.tags,
|
|
123
124
|
stacktraceOpts: {
|
|
124
125
|
constructorOpt: data.hooked,
|
|
125
|
-
prependFrames: [data.orig]
|
|
126
126
|
},
|
|
127
127
|
target: 'R',
|
|
128
128
|
});
|
|
@@ -37,6 +37,7 @@ module.exports = function(core) {
|
|
|
37
37
|
// patch for it, so we don't have to worry about managing patch execution order
|
|
38
38
|
// (which patcher would do).
|
|
39
39
|
const { add } = global.ContrastMethods;
|
|
40
|
+
|
|
40
41
|
global.ContrastMethods.add = function(...args) {
|
|
41
42
|
// first get result, then following logic acts as post-hook in patcher speak
|
|
42
43
|
const result = add(...args);
|
|
@@ -56,6 +57,8 @@ module.exports = function(core) {
|
|
|
56
57
|
const leftStringInfo = tracker.getData(args[0]);
|
|
57
58
|
const rightStringInfo = tracker.getData(args[1]);
|
|
58
59
|
|
|
60
|
+
if (!leftStringInfo && !rightStringInfo) return result;
|
|
61
|
+
|
|
59
62
|
let newTags = {};
|
|
60
63
|
const history = [];
|
|
61
64
|
|
|
@@ -69,49 +72,50 @@ module.exports = function(core) {
|
|
|
69
72
|
newTags = createAppendTags(newTags, rightStringInfo.tags, args[0].length);
|
|
70
73
|
}
|
|
71
74
|
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
value: leftArg
|
|
80
|
-
},
|
|
81
|
-
{
|
|
82
|
-
tracked: !!rightStringInfo,
|
|
83
|
-
value: rightArg,
|
|
84
|
-
}
|
|
85
|
-
],
|
|
86
|
-
context: `${inspect(leftArg)} + ${inspect(rightArg)}`,
|
|
87
|
-
moduleName: 'global',
|
|
88
|
-
methodName: 'ContrastMethods.add',
|
|
89
|
-
history,
|
|
90
|
-
object: {
|
|
91
|
-
value: 'String Addition',
|
|
92
|
-
tracked: false
|
|
93
|
-
},
|
|
94
|
-
name: 'ContrastMethods.add',
|
|
95
|
-
result: {
|
|
96
|
-
value: result,
|
|
97
|
-
tracked: true
|
|
75
|
+
const leftArg = leftStringInfo ? leftStringInfo.value : args[0];
|
|
76
|
+
const rightArg = rightStringInfo ? rightStringInfo.value : args[1];
|
|
77
|
+
const event = createPropagationEvent({
|
|
78
|
+
args: [
|
|
79
|
+
{
|
|
80
|
+
tracked: !!leftStringInfo,
|
|
81
|
+
value: leftArg
|
|
98
82
|
},
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
}
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
83
|
+
{
|
|
84
|
+
tracked: !!rightStringInfo,
|
|
85
|
+
value: rightArg,
|
|
86
|
+
}
|
|
87
|
+
],
|
|
88
|
+
get context() {
|
|
89
|
+
return `${inspect(leftArg)} + ${inspect(rightArg)}`;
|
|
90
|
+
},
|
|
91
|
+
moduleName: 'global',
|
|
92
|
+
methodName: 'ContrastMethods.add',
|
|
93
|
+
history,
|
|
94
|
+
object: {
|
|
95
|
+
value: 'String Addition',
|
|
96
|
+
tracked: false
|
|
97
|
+
},
|
|
98
|
+
name: 'ContrastMethods.add',
|
|
99
|
+
result: {
|
|
100
|
+
value: result,
|
|
101
|
+
tracked: true
|
|
102
|
+
},
|
|
103
|
+
source: 'P',
|
|
104
|
+
stacktraceOpts: {
|
|
105
|
+
constructorOpt: add,
|
|
106
|
+
},
|
|
107
|
+
tags: newTags,
|
|
108
|
+
target: 'R',
|
|
109
|
+
});
|
|
110
|
+
|
|
111
|
+
if (event) {
|
|
112
|
+
const { extern } = tracker.track(result, event);
|
|
113
|
+
if (extern) return extern;
|
|
111
114
|
}
|
|
112
115
|
|
|
113
116
|
return result;
|
|
114
117
|
};
|
|
118
|
+
|
|
115
119
|
global.ContrastMethods.add[origSym] = add;
|
|
116
120
|
},
|
|
117
121
|
uninstall() {
|
|
@@ -66,7 +66,9 @@ module.exports = function(core) {
|
|
|
66
66
|
name,
|
|
67
67
|
moduleName: 'global',
|
|
68
68
|
methodName: 'ContrastMethods.String',
|
|
69
|
-
context
|
|
69
|
+
get context() {
|
|
70
|
+
return `${name}('${argInfo.value}')`;
|
|
71
|
+
},
|
|
70
72
|
history,
|
|
71
73
|
object: {
|
|
72
74
|
tracked: !!objInfo,
|
|
@@ -80,7 +82,7 @@ module.exports = function(core) {
|
|
|
80
82
|
},
|
|
81
83
|
target: 'R',
|
|
82
84
|
stacktraceOpts: {
|
|
83
|
-
|
|
85
|
+
constructorOpt: data.hooked,
|
|
84
86
|
},
|
|
85
87
|
result: {
|
|
86
88
|
value: data.result,
|
|
@@ -73,7 +73,9 @@ module.exports = function(core) {
|
|
|
73
73
|
resultData,
|
|
74
74
|
createPropagationEvent({
|
|
75
75
|
args,
|
|
76
|
-
context
|
|
76
|
+
get context() {
|
|
77
|
+
return `\`${context}\``;
|
|
78
|
+
},
|
|
77
79
|
moduleName: 'global',
|
|
78
80
|
methodName: 'ContrastMethods.tag',
|
|
79
81
|
history: Array.from(history),
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
|
|
18
18
|
const { DataflowTag: { URL_ENCODED } } = require('@contrast/common');
|
|
19
19
|
const { createFullLengthCopyTags } = require('../../tag-utils');
|
|
20
|
-
const { patchType,
|
|
20
|
+
const { patchType, globalObject: object } = require('../common');
|
|
21
21
|
|
|
22
22
|
module.exports = function(core) {
|
|
23
23
|
const {
|
|
@@ -38,7 +38,7 @@ module.exports = function(core) {
|
|
|
38
38
|
patchType,
|
|
39
39
|
usePerf: 'sync',
|
|
40
40
|
post(data) {
|
|
41
|
-
const { args, result, hooked
|
|
41
|
+
const { args, result, hooked } = data;
|
|
42
42
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
43
43
|
|
|
44
44
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -61,11 +61,10 @@ module.exports = function(core) {
|
|
|
61
61
|
name,
|
|
62
62
|
moduleName: 'global',
|
|
63
63
|
methodName: 'decodeURIComponent',
|
|
64
|
-
context
|
|
65
|
-
|
|
66
|
-
value: createObjectLabel('global'),
|
|
67
|
-
tracked: false
|
|
64
|
+
get context() {
|
|
65
|
+
return `decodeURIComponent('${argInfo.value}')`;
|
|
68
66
|
},
|
|
67
|
+
object,
|
|
69
68
|
result: {
|
|
70
69
|
value: result,
|
|
71
70
|
tracked: true
|
|
@@ -78,7 +77,6 @@ module.exports = function(core) {
|
|
|
78
77
|
removedTags: [URL_ENCODED],
|
|
79
78
|
stacktraceOpts: {
|
|
80
79
|
constructorOpt: hooked,
|
|
81
|
-
prependFrames: [orig]
|
|
82
80
|
},
|
|
83
81
|
});
|
|
84
82
|
|
|
@@ -39,7 +39,7 @@ module.exports = function(core) {
|
|
|
39
39
|
patchType,
|
|
40
40
|
usePerf: 'sync',
|
|
41
41
|
post(data) {
|
|
42
|
-
const { args, result, hooked
|
|
42
|
+
const { args, result, hooked } = data;
|
|
43
43
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
44
44
|
|
|
45
45
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -54,7 +54,9 @@ module.exports = function(core) {
|
|
|
54
54
|
|
|
55
55
|
const event = createPropagationEvent({
|
|
56
56
|
name,
|
|
57
|
-
context
|
|
57
|
+
get context() {
|
|
58
|
+
return `ejs.utils.escapeXML('${argInfo.value}')`;
|
|
59
|
+
},
|
|
58
60
|
moduleName: 'ejs',
|
|
59
61
|
methodName: 'escapeXML',
|
|
60
62
|
object: {
|
|
@@ -71,7 +73,6 @@ module.exports = function(core) {
|
|
|
71
73
|
history,
|
|
72
74
|
stacktraceOpts: {
|
|
73
75
|
constructorOpt: hooked,
|
|
74
|
-
prependFrames: [orig]
|
|
75
76
|
},
|
|
76
77
|
source: 'P',
|
|
77
78
|
target: 'R',
|
|
@@ -37,7 +37,7 @@ module.exports = function (core) {
|
|
|
37
37
|
} = core;
|
|
38
38
|
|
|
39
39
|
/** @type {import('@contrast/rewriter').RewriteOpts} */
|
|
40
|
-
const REWRITE_OPTS = { isModule: false, inject: false, wrap: false };
|
|
40
|
+
const REWRITE_OPTS = { isModule: false, inject: false, wrap: false, minify: false };
|
|
41
41
|
const WRAPPER_PREFIX = ArrayPrototypeJoin.call([
|
|
42
42
|
'function tempWrapper() {',
|
|
43
43
|
'function __append(s) { if (s !== undefined && s !== null) __output += s }'
|
|
@@ -19,7 +19,7 @@ const {
|
|
|
19
19
|
DataflowTag: { URL_ENCODED, WEAK_URL_ENCODED }
|
|
20
20
|
} = require('@contrast/common');
|
|
21
21
|
const { createEscapeTagRanges } = require('../../tag-utils');
|
|
22
|
-
const { patchType,
|
|
22
|
+
const { patchType, globalObject: object } = require('../common');
|
|
23
23
|
|
|
24
24
|
module.exports = function(core) {
|
|
25
25
|
const {
|
|
@@ -49,7 +49,7 @@ module.exports = function(core) {
|
|
|
49
49
|
patchType,
|
|
50
50
|
usePerf: 'sync',
|
|
51
51
|
post(data) {
|
|
52
|
-
const { args, result, hooked
|
|
52
|
+
const { args, result, hooked } = data;
|
|
53
53
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
54
54
|
|
|
55
55
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -68,11 +68,10 @@ module.exports = function(core) {
|
|
|
68
68
|
name,
|
|
69
69
|
moduleName: 'global',
|
|
70
70
|
methodName,
|
|
71
|
-
context
|
|
72
|
-
|
|
73
|
-
value: createObjectLabel('global'),
|
|
74
|
-
tracked: false
|
|
71
|
+
get context() {
|
|
72
|
+
return `${methodName}('${argInfo.value}')`;
|
|
75
73
|
},
|
|
74
|
+
object,
|
|
76
75
|
result: {
|
|
77
76
|
value: result,
|
|
78
77
|
tracked: true
|
|
@@ -85,7 +84,6 @@ module.exports = function(core) {
|
|
|
85
84
|
addedTags: [tag],
|
|
86
85
|
stacktraceOpts: {
|
|
87
86
|
constructorOpt: hooked,
|
|
88
|
-
prependFrames: [orig]
|
|
89
87
|
},
|
|
90
88
|
});
|
|
91
89
|
|
|
@@ -40,7 +40,7 @@ module.exports = function(core) {
|
|
|
40
40
|
patchType,
|
|
41
41
|
usePerf: 'sync',
|
|
42
42
|
post(data) {
|
|
43
|
-
const { args, result, hooked
|
|
43
|
+
const { args, result, hooked } = data;
|
|
44
44
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
45
45
|
|
|
46
46
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -57,7 +57,9 @@ module.exports = function(core) {
|
|
|
57
57
|
name,
|
|
58
58
|
moduleName: 'escape-html',
|
|
59
59
|
methodName: '',
|
|
60
|
-
context
|
|
60
|
+
get context() {
|
|
61
|
+
return `escapeHtml(${argInfo.value})`;
|
|
62
|
+
},
|
|
61
63
|
object: {
|
|
62
64
|
value: 'escape-html',
|
|
63
65
|
tracked: false
|
|
@@ -74,7 +76,6 @@ module.exports = function(core) {
|
|
|
74
76
|
addedTags: [HTML_ENCODED],
|
|
75
77
|
stacktraceOpts: {
|
|
76
78
|
constructorOpt: hooked,
|
|
77
|
-
prependFrames: [orig]
|
|
78
79
|
},
|
|
79
80
|
});
|
|
80
81
|
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
|
|
18
18
|
const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
|
|
19
19
|
const { createFullLengthCopyTags } = require('../../tag-utils');
|
|
20
|
-
const { patchType,
|
|
20
|
+
const { patchType, globalObject: object } = require('../common');
|
|
21
21
|
|
|
22
22
|
module.exports = function(core) {
|
|
23
23
|
const {
|
|
@@ -38,7 +38,7 @@ module.exports = function(core) {
|
|
|
38
38
|
patchType,
|
|
39
39
|
usePerf: 'sync',
|
|
40
40
|
post(data) {
|
|
41
|
-
const { args, result, hooked
|
|
41
|
+
const { args, result, hooked } = data;
|
|
42
42
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
43
43
|
|
|
44
44
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -55,11 +55,10 @@ module.exports = function(core) {
|
|
|
55
55
|
name,
|
|
56
56
|
moduleName: 'global',
|
|
57
57
|
methodName: 'escape',
|
|
58
|
-
context
|
|
59
|
-
|
|
60
|
-
value: createObjectLabel('global'),
|
|
61
|
-
tracked: false
|
|
58
|
+
get context() {
|
|
59
|
+
return `escape('${argInfo.value}')`;
|
|
62
60
|
},
|
|
61
|
+
object,
|
|
63
62
|
result: {
|
|
64
63
|
value: resultInfo ? resultInfo.value : result,
|
|
65
64
|
tracked: true
|
|
@@ -72,7 +71,6 @@ module.exports = function(core) {
|
|
|
72
71
|
addedTags: [WEAK_URL_ENCODED],
|
|
73
72
|
stacktraceOpts: {
|
|
74
73
|
constructorOpt: hooked,
|
|
75
|
-
prependFrames: [orig]
|
|
76
74
|
},
|
|
77
75
|
});
|
|
78
76
|
|
|
@@ -40,7 +40,7 @@ module.exports = function(core) {
|
|
|
40
40
|
patchType,
|
|
41
41
|
usePerf: 'sync',
|
|
42
42
|
post(data) {
|
|
43
|
-
const { args, result, hooked
|
|
43
|
+
const { args, result, hooked } = data;
|
|
44
44
|
if (!result || !args[0] || !getPropagatorContext()) return;
|
|
45
45
|
|
|
46
46
|
const argInfo = tracker.getData(args[0]);
|
|
@@ -57,7 +57,9 @@ module.exports = function(core) {
|
|
|
57
57
|
name,
|
|
58
58
|
moduleName: 'handlebars',
|
|
59
59
|
methodName: 'Utils.escapeExpression',
|
|
60
|
-
context
|
|
60
|
+
get context() {
|
|
61
|
+
return `${name}('${argInfo.value}')`;
|
|
62
|
+
},
|
|
61
63
|
object: {
|
|
62
64
|
value: 'handlebars.Utils',
|
|
63
65
|
tracked: false
|
|
@@ -74,7 +76,6 @@ module.exports = function(core) {
|
|
|
74
76
|
target: 'R',
|
|
75
77
|
stacktraceOpts: {
|
|
76
78
|
constructorOpt: hooked,
|
|
77
|
-
prependFrames: [orig]
|
|
78
79
|
},
|
|
79
80
|
});
|
|
80
81
|
|
|
@@ -78,9 +78,7 @@ module.exports = function(core) {
|
|
|
78
78
|
[tagName]: [0, strInfo.value.length - 1],
|
|
79
79
|
},
|
|
80
80
|
target: 'P0',
|
|
81
|
-
stacktraceOpts: {
|
|
82
|
-
prependFrames: [origFn],
|
|
83
|
-
},
|
|
81
|
+
// stacktraceOpts: {},
|
|
84
82
|
});
|
|
85
83
|
|
|
86
84
|
if (event) {
|
|
@@ -175,9 +173,7 @@ module.exports = function(core) {
|
|
|
175
173
|
source: 'P0',
|
|
176
174
|
tags: createFullLengthCopyTags(argInfo.tags, result.value.length),
|
|
177
175
|
target: 'R',
|
|
178
|
-
stacktraceOpts: {
|
|
179
|
-
prependFrames: [data.orig],
|
|
180
|
-
},
|
|
176
|
+
// stacktraceOpts: {},
|
|
181
177
|
});
|
|
182
178
|
|
|
183
179
|
if (!event) return;
|
|
@@ -37,7 +37,7 @@ function getRefInstancesTrackingData(tracker, obj, refInstancesPaths) {
|
|
|
37
37
|
}
|
|
38
38
|
|
|
39
39
|
function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
|
|
40
|
-
const { inspectedSecondArg,
|
|
40
|
+
const { inspectedSecondArg, methodName, target } = metadata;
|
|
41
41
|
|
|
42
42
|
if (!strInfo) return;
|
|
43
43
|
|
|
@@ -65,9 +65,7 @@ function tagCustomValidatedString(createPropagationEvent, strInfo, metadata) {
|
|
|
65
65
|
[CUSTOM_VALIDATED]: [0, strInfo.value.length - 1],
|
|
66
66
|
},
|
|
67
67
|
target,
|
|
68
|
-
stacktraceOpts: {
|
|
69
|
-
prependFrames: [origFn],
|
|
70
|
-
},
|
|
68
|
+
// stacktraceOpts: {},
|
|
71
69
|
});
|
|
72
70
|
|
|
73
71
|
if (event) {
|