@contrast/assess 1.53.0 → 1.54.1

package/lib/dataflow/propagation/install/string/replace.js

@@ -23,7 +23,8 @@ const {
     StringPrototypeReplace,
     StringPrototypeReplaceAll,
     StringPrototypeSubstring
-  }
+  },
+  isString,
 } = require('@contrast/common');
 const {
   createSubsetTags,
@@ -43,170 +44,176 @@ module.exports = function(core) {
     },
   } = core;
 
-  function parseArgs(args) {
-    //
-    // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
-    // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
-    //
-    const r = [];
-    let ix = -1;
-    if (typeof args.at(-1) === 'object') {
-      r.groups = args.at(-1);
-      ix = -2;
-    }
-    r.input = args.at(ix);
-    ix -= 1;
-    r.index = args.at(ix);
+  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
+  const STR_REPS = /\$(\$|&|`|')/g;
 
-    // ix is negative from the end, so add it
-    ix = args.length + ix;
-    for (let i = 0; i < ix; i++) {
-      r.push(args[i]);
-    }
+  const propagator = core.assess.dataflow.propagation.stringInstrumentation.replace = {
+    //
+    parseArgs(args) {
+      //
+      // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
+      // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
+      //
+      const r = [];
+      let ix = -1;
+      if (typeof args.at(-1) === 'object') {
+        r.groups = args.at(-1);
+        ix = -2;
+      }
+      r.input = args.at(ix);
+      ix -= 1;
+      r.index = args.at(ix);
 
-    return r;
-  }
+      // ix is negative from the end, so add it
+      ix = args.length + ix;
+      for (let i = 0; i < ix; i++) {
+        r.push(args[i]);
+      }
 
-  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
-  const STR_REPS = /\$(\$|&|`|')/g;
+      return r;
+    },
+    //
+    getReplacementInfo(data, replacerArgs, parsedArgs) {
+      // patternIsRE is two different flags, both booleans.
+      // - set true if the first argument to String.prototype.replace is an RE.
+      // - after the $N, $<name> checks, it flags that a substitution was made.
+      const patternIsRE = data.args[0] instanceof RegExp;
+      let replacement;
+      if (typeof data._replacement === 'function') {
+        // no special replacements apply to the string returned by a replacement
+        // function.
+        replacement = data._replacement.call(global, ...replacerArgs);
+      } else {
+        // if it's not a function then the valid special replacements depend on
+        // whether the pattern is a regex or a string. first find substitution
+        // patterns present in the replacement string. Don't find patterns that
+        // aren't valid, e.g., $0, $<name> when the pattern is a string.
+        replacement = String(data._replacement);
 
-  function getReplacementInfo(data, replacerArgs, parsedArgs) {
-    // patternIsRE is two different flags, both booleans.
-    // - set true if the first argument to String.prototype.replace is an RE.
-    // - after the $N, $<name> checks, it flags that a substitution was made.
-    const patternIsRE = data.args[0] instanceof RegExp;
-    let replacement;
-    if (typeof data._replacement === 'function') {
-      // no special replacements apply to the string returned by a replacement
-      // function.
-      replacement = data._replacement.call(global, ...replacerArgs);
-    } else {
-      // if it's not a function then the valid special replacements depend on
-      // whether the pattern is a regex or a string. first find substitution
-      // patterns present in the replacement string. Don't find patterns that
-      // aren't valid, e.g., $0, $<name> when the pattern is a string.
-      replacement = String(data._replacement);
+        const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
 
-      const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
+        for (const m of matches) {
+          let substitution;
+          let substitutionDone = false;
+          // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
+          // if the pattern is a regex, then $1 to $99 and $<name> are valid
+          if (patternIsRE) {
+            // my guess is $1 to $99 are most likely, after that, who knows? so
+            // we check named groups next, because 1) they seem more useful than
+            // the other $ patterns and 2) they are in the same patternIsRE test.
+            //
+            // in any case, the following will be false if m[1][0] is not a number.
+            if (m[1][0] >= 1 && m[1][0] <= 9) {
+              // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
+              if (parsedArgs[m[1]] === undefined) {
+                if (m[1] in parsedArgs) {
+                  // need to remove $m[1] from replacement pattern. N.B. this could
+                  // mess up if the replacement text contains text that matches a
+                  // subsequent replacement (either RE or string).
+                  replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                } else {
+                  // no capture groups in RegExp
+                  substitution = replacement;
+                }
 
-      for (const m of matches) {
-        let substitution;
-        let substitutionDone = false;
-        // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
-        // if the pattern is a regex, then $1 to $99 and $<name> are valid
-        if (patternIsRE) {
-          // my guess is $1 to $99 are most likely, after that, who knows? so
-          // we check named groups next, because 1) they seem more useful than
-          // the other $ patterns and 2) they are in the same patternIsRE test.
-          //
-          // in any case, the following will be false if m[1][0] is not a number.
-          if (m[1][0] >= 1 && m[1][0] <= 9) {
-            //const group = Number(m[1]);
-            // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
-            if (parsedArgs[m[1]] === undefined && m[1] in parsedArgs) {
-              // need to remove $m[1] from replacement pattern. N.B. this could
-              // mess up if the replacement text contains text that matches a
-              // subsequent replacement (either RE or string).
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
+                continue;
+              }
+              substitution = parsedArgs[m[1]];
+              substitutionDone = true;
+            } else if (m[1][0] === '<') {
+              // named group
+              const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
+              if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
+                // remove $<groupName> from the replacement pattern. N.B. this
+                // also could mess up if the replacement text containts text that
+                // matches a subsequent replacement.
+                replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                continue;
+              }
+              substitution = parsedArgs.groups[groupName];
+              substitutionDone = true;
             }
-            substitution = parsedArgs[m[1]];
-            substitutionDone = true;
-          } else if (m[1][0] === '<') {
-            // named group
-            const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
-            if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
-              // remove $<groupName> from the replacement pattern. N.B. this
-              // also could mess up if the replacement text containts text that
-              // matches a subsequent replacement.
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
-            }
-            substitution = parsedArgs.groups[groupName];
-            substitutionDone = true;
           }
-        }
 
-        // the following are valid whether the pattern is a regex or a string.
-        //
-        // any idea what order $&'` should be in from a most-common to least-
-        // common perspective? nfi.
-        let substitutionTags;
-        if (!substitutionDone) {
-          if (m[1] === '$') {
-            // this could actually be tracked but in order to do this "right"
-            // we have to be able to distinguish whether it is the first or
-            // the second $ that is tracked. so punt, and just ignore it, as
-            // originally implemented.
-            substitution = '$';
-            data._replacementOffset -= 1;
-          } else if (m[1] === '&') {
-            // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
-            // match). if tracked, handle it. do so by index, so we don't have to
-            // call replace again? e.g., string[m.index..m.index+2]
-            substitution = parsedArgs[0];
-          } else if (m[1] === '`') {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } else if (m[1] === "'") {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } //  else {
-          //   throw new Error('how can it have matched RE and gotten here?');
-          // }
-          // i'm not sure what the proper handling of this is. if either char
-          // of the $$&`' sequence is tracked, then something the user input
-          // is manipulating the output, even if it is just duplicating what
-          // might be tracked or untracked input. does that count?
-        }
-        replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
-        if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
-        if (substitutionTags) {
-          data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
-          data._replacementOffset += (substitution.length - m[0].length);
+          // the following are valid whether the pattern is a regex or a string.
+          //
+          // any idea what order $&'` should be in from a most-common to least-
+          // common perspective? nfi.
+          let substitutionTags;
+          if (!substitutionDone) {
+            if (m[1] === '$') {
+              // this could actually be tracked but in order to do this "right"
+              // we have to be able to distinguish whether it is the first or
+              // the second $ that is tracked. so punt, and just ignore it, as
+              // originally implemented.
+              substitution = '$';
+              data._replacementOffset -= 1;
+            } else if (m[1] === '&') {
+              // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
+              // match). if tracked, handle it. do so by index, so we don't have to
+              // call replace again? e.g., string[m.index..m.index+2]
+              substitution = parsedArgs[0];
+            } else if (m[1] === '`') {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } else if (m[1] === "'") {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } //  else {
+            //   throw new Error('how can it have matched RE and gotten here?');
+            // }
+            // i'm not sure what the proper handling of this is. if either char
+            // of the $$&`' sequence is tracked, then something the user input
+            // is manipulating the output, even if it is just duplicating what
+            // might be tracked or untracked input. does that count?
+          }
+          replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
+          if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
+          if (substitutionTags) {
+            data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
+            data._replacementOffset += (substitution.length - m[0].length);
+          }
         }
       }
-    }
 
-    // coerce the replacement to a string, e.g., null => 'null'
-    replacement = String(replacement);
-
-    data._replacementInfo = tracker.getData(replacement);
-    if (data._replacementInfo) {
-      data._history.add(data._replacementInfo);
-    }
+      // coerce the replacement to a string, e.g., null => 'null'
+      replacement = String(replacement);
 
-    return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
-  }
+      data._replacementInfo = tracker.getData(replacement);
+      if (data._replacementInfo) {
+        data._history.add(data._replacementInfo);
+      }
 
-  function getReplacer(data) {
-    return function replacer(...args) {
-      const parsedArgs = parseArgs(args);
-      const match = parsedArgs[0];
-      const { index, input } = parsedArgs;
+      return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
+    },
+    //
+    getReplacer(data) {
+      return function replacer(...args) {
+        const parsedArgs = propagator.parseArgs(args);
+        const match = parsedArgs[0];
+        const { index, input } = parsedArgs;
 
-      const { _accumOffset, _accumTags } = data;
-      const { replacement, replacementTags } = getReplacementInfo(data, args, parsedArgs);
+        const { _accumOffset, _accumTags } = data;
+        const { replacement, replacementTags } = propagator.getReplacementInfo(data, args, parsedArgs);
 
-      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
-      const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
-      data._accumOffset += (replacement.length - match.length);
-      if (preTags || postTags || replacementTags) {
-        data._accumTags = createAppendTags(
-          createAppendTags(preTags, replacementTags, _accumOffset + index),
-          postTags,
-          data._accumOffset + index + match.length
-        );
-      } else {
-        data._accumTags = {};
-      }
-      return replacement;
-    };
-  }
+        const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
+        const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
+        data._accumOffset += (replacement.length - match.length);
+        if (preTags || postTags || replacementTags) {
+          data._accumTags = createAppendTags(
+            createAppendTags(preTags, replacementTags, _accumOffset + index),
+            postTags,
+            data._accumOffset + index + match.length
+          );
+        } else {
+          data._accumTags = {};
+        }
+        return replacement;
+      };
+    },
 
-  return core.assess.dataflow.propagation.stringInstrumentation.replace = {
     install() {
       const name = 'String.prototype.replace';
       const store = { name, lock: true };
@@ -215,20 +222,27 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         around(next, data) {
-          if (!getPropagatorContext()) return next();
+          const _next = !scopes.instrumentation.isLocked() ? () => scopes.instrumentation.run(store, next) : next;
+
+          if (!getPropagatorContext()) return _next();
 
           // setup state
           data._objInfo = tracker.getData(data.obj);
           data._replacement = data.args[1];
-          data._replacementType = typeof data._replacement;
           data._history = data._objInfo ? new Set([data._objInfo]) : new Set();
           data._accumTags = data._objInfo?.tags || {};
           data._accumOffset = 0;
           data._replacementOffset = 0;
 
-          data.args[1] = getReplacer(data);
+          // bail early if no constituents are tracked
+          if (
+            !data._objInfo &&
+            isString(data.args[1]) &&
+            !tracker.getData(data.args[1])
+          ) return _next();
 
-          const result = !scopes.instrumentation.isLocked() ? scopes.instrumentation.run(store, next) : next();
+          data.args[1] = propagator.getReplacer(data);
+          const result = _next();
 
           if (
             !result ||
@@ -237,7 +251,7 @@ module.exports = function(core) {
             data.obj === result
           ) return result;
 
-          const { obj, args: origArgs, hooked, orig } = data;
+          const { obj, args: origArgs, hooked } = data;
           const args = [];
           if (tracker.getData(origArgs[0])) {
             args.push({ tracked: true, value: origArgs[0] });
@@ -254,7 +268,9 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.replace',
-            context: `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+            get context() {
+              return `'${obj}'.replace(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+            },
             history: Array.from(data._history),
             object: {
               value: obj,
@@ -268,16 +284,13 @@ module.exports = function(core) {
             tags: data._accumTags,
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             },
             source: data._objInfo ? (data._history.size > 1 ? 'A' : 'O') : 'P',
             target: 'R',
           });
-
-          if (!event) return;
+          if (!event) return null;
 
           const { extern } = tracker.track(result, event);
-
           return extern;
         }
       });
@@ -286,4 +299,6 @@ module.exports = function(core) {
       String.prototype.replace = patcher.unwrap(String.prototype.replace);
     }
   };
+
+  return propagator;
 };

package/lib/dataflow/propagation/install/string/slice.js

@@ -55,7 +55,7 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         post(data) {
-          const { name, args: origArgs, obj, result, hooked, orig } = data;
+          const { name, args: origArgs, obj, result, hooked } = data;
           if (!result || !getPropagatorContext()) return;
 
           const objInfo = tracker.getData(obj);
@@ -80,7 +80,9 @@ module.exports = function(core) {
             name,
             moduleName: 'String',
             methodName: 'prototype.slice',
-            context: `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`,
+            get context() {
+              return `'${objInfo.value}'.slice(${ArrayPrototypeJoin.call(args.map(a => a.value), ', ')})`;
+            },
             history: [objInfo],
             object: {
               value: obj,
@@ -96,7 +98,6 @@ module.exports = function(core) {
             target: 'R',
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             }
           });
 

package/lib/dataflow/propagation/install/string/split.js

@@ -16,7 +16,7 @@
 'use strict';
 
 const { primordials: { ArrayPrototypeJoin, RegExpPrototypeExec } } = require('@contrast/common');
-const { createSubsetTags, getAdjustedUntrackedValue } = require('../../../tag-utils');
+const { createSubsetTags } = require('../../../tag-utils');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -46,7 +46,7 @@ module.exports = function(core) {
             next();
         },
         post(data) {
-          const { name, args: origArgs, obj, result, hooked, orig } = data;
+          const { name, args: origArgs, obj, result, hooked } = data;
           const splitterIsRx = origArgs[0] instanceof RegExp;
 
           if (
@@ -81,7 +81,7 @@ module.exports = function(core) {
             if (tags) {
               const metadata = makeEvent({
                 result: { tracked: true, value: result[i] },
-                tags: tags,
+                tags,
               });
 
               if (metadata) {
@@ -115,7 +115,7 @@ module.exports = function(core) {
                 if (tags) {
                   const metadata = makeEvent({
                     result: { tracked: true, value: result[i] },
-                    tags: tags,
+                    tags,
                   });
                   eventFactory.createdEvents.add(metadata);
                   const { extern } = tracker.track(result[i], metadata);
@@ -137,28 +137,28 @@ module.exports = function(core) {
               const args = origArgs.map((arg) => {
                 const argInfo = tracker.getData(arg);
                 return argInfo ?
-                  { tracked: true, value: argInfo.value } :
-                  { tracked: false, value: `'${arg}'` };
+                    { tracked: true, value: argInfo.value } :
+                    { tracked: false, value: splitterIsRx ? arg.toString() : `'${arg}'` };
               });
               _event = eventFactory.createPropagationEvent({
                 name,
                 moduleName: 'String',
                 methodName: 'prototype.split',
-                context: `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+                get context() {
+                  return `'${objInfo.value}'.split(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+                },
                 history: [objInfo],
                 object: {
                   value: obj,
                   tracked: true,
                 },
                 args,
-                tags: {},
                 result: {
-                  value: getAdjustedUntrackedValue(result),
-                  tracked: false
+                  value: `${result}`,
+                  tracked: true
                 },
                 stacktraceOpts: {
                   constructorOpt: hooked,
-                  prependFrames: [orig]
                 },
                 source: 'O',
                 target: 'R'

package/lib/dataflow/propagation/install/string/substring.js

@@ -63,7 +63,7 @@ module.exports = function(core) {
           patchType,
           usePerf: 'sync',
           post(data) {
-            const { obj, args: origArgs, result, name, hooked, orig } = data;
+            const { obj, args: origArgs, result, name, hooked } = data;
             if (!result || !getPropagatorContext()) return;
 
             const objInfo = tracker.getData(obj);
@@ -90,7 +90,9 @@ module.exports = function(core) {
               name,
               moduleName: 'String',
               methodName: 'prototype.substring',
-              context: `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`,
+              get context() {
+                return `'${objInfo.value}'.substring(${ArrayPrototypeJoin.call(args.map(a => a.value))})`;
+              },
               history: [objInfo],
               object: {
                 value: obj,
@@ -105,7 +107,6 @@ module.exports = function(core) {
               source: 'O',
               stacktraceOpts: {
                 constructorOpt: hooked,
-                prependFrames: [orig]
               },
               target: 'R',
             });

package/lib/dataflow/propagation/install/string/trim.js

@@ -30,7 +30,7 @@ module.exports = function(core) {
 
   function createPostHook(methodName, presetStart) {
     return function(data) {
-      const { obj, result, hooked, orig } = data;
+      const { obj, result, hooked } = data;
 
       if (!result?.length || !getPropagatorContext()) {
         return;
@@ -56,7 +56,9 @@ module.exports = function(core) {
         name: `String.prototype.${methodName}`,
         moduleName: 'String',
         methodName: `prototype.${methodName}`,
-        context: `'${obj}'.${methodName}()`,
+        get context() {
+          return `'${obj}'.${methodName}()`;
+        },
         history,
         object: {
           value: obj,
@@ -69,7 +71,6 @@ module.exports = function(core) {
         tags: newTags,
         stacktraceOpts: {
           constructorOpt: hooked,
-          prependFrames: [orig]
         },
         source: 'O',
         target: 'R'

package/lib/dataflow/propagation/install/unescape.js

@@ -17,7 +17,7 @@
 
 const { DataflowTag: { WEAK_URL_ENCODED } } = require('@contrast/common');
 const { createFullLengthCopyTags } = require('../../tag-utils');
-const { patchType, createObjectLabel } = require('../common');
+const { patchType, globalObject: object } = require('../common');
 
 module.exports = function(core) {
   const {
@@ -38,29 +38,26 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         post(data) {
-          const { args, result, hooked, orig } = data;
+          const { args, result, hooked } = data;
           if (!result || !args[0] || !getPropagatorContext()) return;
 
           const argInfo = tracker.getData(args[0]);
-
           if (!argInfo) return;
 
           const resultInfo = tracker.getData(result);
           const history = [argInfo];
           const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
           delete newTags[WEAK_URL_ENCODED];
-
           if (!Object.keys(newTags).length) return;
 
           const event = createPropagationEvent({
             name,
             moduleName: 'global',
             methodName: 'unescape',
-            context: `unescape('${argInfo.value}')`,
-            object: {
-              value: createObjectLabel('global'),
-              tracked: false
+            get context() {
+              return `unescape('${argInfo.value}')`;
             },
+            object,
             result: {
               value: resultInfo ? resultInfo.value : result,
               tracked: true
@@ -73,18 +70,13 @@ module.exports = function(core) {
             removedTags: [WEAK_URL_ENCODED],
             stacktraceOpts: {
               constructorOpt: hooked,
-              prependFrames: [orig]
             },
           });
-
           if (!event) return;
 
-          if (resultInfo) {
-            Object.assign(resultInfo, event);
-          }
+          if (resultInfo) Object.assign(resultInfo, event);
 
           const { extern } = tracker.track(result, event);
-
           if (extern) {
             data.result = extern;
           }