@contrast/assess 1.54.0 → 1.54.1

package/lib/dataflow/propagation/install/string/replace.js

@@ -23,7 +23,8 @@ const {
     StringPrototypeReplace,
     StringPrototypeReplaceAll,
     StringPrototypeSubstring
-  }
+  },
+  isString,
 } = require('@contrast/common');
 const {
   createSubsetTags,
@@ -43,170 +44,176 @@ module.exports = function(core) {
     },
   } = core;
 
-  function parseArgs(args) {
-    //
-    // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
-    // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
-    //
-    const r = [];
-    let ix = -1;
-    if (typeof args.at(-1) === 'object') {
-      r.groups = args.at(-1);
-      ix = -2;
-    }
-    r.input = args.at(ix);
-    ix -= 1;
-    r.index = args.at(ix);
+  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
+  const STR_REPS = /\$(\$|&|`|')/g;
 
-    // ix is negative from the end, so add it
-    ix = args.length + ix;
-    for (let i = 0; i < ix; i++) {
-      r.push(args[i]);
-    }
+  const propagator = core.assess.dataflow.propagation.stringInstrumentation.replace = {
+    //
+    parseArgs(args) {
+      //
+      // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
+      // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
+      //
+      const r = [];
+      let ix = -1;
+      if (typeof args.at(-1) === 'object') {
+        r.groups = args.at(-1);
+        ix = -2;
+      }
+      r.input = args.at(ix);
+      ix -= 1;
+      r.index = args.at(ix);
 
-    return r;
-  }
+      // ix is negative from the end, so add it
+      ix = args.length + ix;
+      for (let i = 0; i < ix; i++) {
+        r.push(args[i]);
+      }
 
-  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
-  const STR_REPS = /\$(\$|&|`|')/g;
+      return r;
+    },
+    //
+    getReplacementInfo(data, replacerArgs, parsedArgs) {
+      // patternIsRE is two different flags, both booleans.
+      // - set true if the first argument to String.prototype.replace is an RE.
+      // - after the $N, $<name> checks, it flags that a substitution was made.
+      const patternIsRE = data.args[0] instanceof RegExp;
+      let replacement;
+      if (typeof data._replacement === 'function') {
+        // no special replacements apply to the string returned by a replacement
+        // function.
+        replacement = data._replacement.call(global, ...replacerArgs);
+      } else {
+        // if it's not a function then the valid special replacements depend on
+        // whether the pattern is a regex or a string. first find substitution
+        // patterns present in the replacement string. Don't find patterns that
+        // aren't valid, e.g., $0, $<name> when the pattern is a string.
+        replacement = String(data._replacement);
 
-  function getReplacementInfo(data, replacerArgs, parsedArgs) {
-    // patternIsRE is two different flags, both booleans.
-    // - set true if the first argument to String.prototype.replace is an RE.
-    // - after the $N, $<name> checks, it flags that a substitution was made.
-    const patternIsRE = data.args[0] instanceof RegExp;
-    let replacement;
-    if (typeof data._replacement === 'function') {
-      // no special replacements apply to the string returned by a replacement
-      // function.
-      replacement = data._replacement.call(global, ...replacerArgs);
-    } else {
-      // if it's not a function then the valid special replacements depend on
-      // whether the pattern is a regex or a string. first find substitution
-      // patterns present in the replacement string. Don't find patterns that
-      // aren't valid, e.g., $0, $<name> when the pattern is a string.
-      replacement = String(data._replacement);
+        const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
 
-      const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
+        for (const m of matches) {
+          let substitution;
+          let substitutionDone = false;
+          // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
+          // if the pattern is a regex, then $1 to $99 and $<name> are valid
+          if (patternIsRE) {
+            // my guess is $1 to $99 are most likely, after that, who knows? so
+            // we check named groups next, because 1) they seem more useful than
+            // the other $ patterns and 2) they are in the same patternIsRE test.
+            //
+            // in any case, the following will be false if m[1][0] is not a number.
+            if (m[1][0] >= 1 && m[1][0] <= 9) {
+              // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
+              if (parsedArgs[m[1]] === undefined) {
+                if (m[1] in parsedArgs) {
+                  // need to remove $m[1] from replacement pattern. N.B. this could
+                  // mess up if the replacement text contains text that matches a
+                  // subsequent replacement (either RE or string).
+                  replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                } else {
+                  // no capture groups in RegExp
+                  substitution = replacement;
+                }
 
-      for (const m of matches) {
-        let substitution;
-        let substitutionDone = false;
-        // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
-        // if the pattern is a regex, then $1 to $99 and $<name> are valid
-        if (patternIsRE) {
-          // my guess is $1 to $99 are most likely, after that, who knows? so
-          // we check named groups next, because 1) they seem more useful than
-          // the other $ patterns and 2) they are in the same patternIsRE test.
-          //
-          // in any case, the following will be false if m[1][0] is not a number.
-          if (m[1][0] >= 1 && m[1][0] <= 9) {
-            //const group = Number(m[1]);
-            // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
-            if (parsedArgs[m[1]] === undefined && m[1] in parsedArgs) {
-              // need to remove $m[1] from replacement pattern. N.B. this could
-              // mess up if the replacement text contains text that matches a
-              // subsequent replacement (either RE or string).
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
+                continue;
+              }
+              substitution = parsedArgs[m[1]];
+              substitutionDone = true;
+            } else if (m[1][0] === '<') {
+              // named group
+              const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
+              if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
+                // remove $<groupName> from the replacement pattern. N.B. this
+                // also could mess up if the replacement text containts text that
+                // matches a subsequent replacement.
+                replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                continue;
+              }
+              substitution = parsedArgs.groups[groupName];
+              substitutionDone = true;
             }
-            substitution = parsedArgs[m[1]];
-            substitutionDone = true;
-          } else if (m[1][0] === '<') {
-            // named group
-            const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
-            if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
-              // remove $<groupName> from the replacement pattern. N.B. this
-              // also could mess up if the replacement text containts text that
-              // matches a subsequent replacement.
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
-            }
-            substitution = parsedArgs.groups[groupName];
-            substitutionDone = true;
           }
-        }
 
-        // the following are valid whether the pattern is a regex or a string.
-        //
-        // any idea what order $&'` should be in from a most-common to least-
-        // common perspective? nfi.
-        let substitutionTags;
-        if (!substitutionDone) {
-          if (m[1] === '$') {
-            // this could actually be tracked but in order to do this "right"
-            // we have to be able to distinguish whether it is the first or
-            // the second $ that is tracked. so punt, and just ignore it, as
-            // originally implemented.
-            substitution = '$';
-            data._replacementOffset -= 1;
-          } else if (m[1] === '&') {
-            // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
-            // match). if tracked, handle it. do so by index, so we don't have to
-            // call replace again? e.g., string[m.index..m.index+2]
-            substitution = parsedArgs[0];
-          } else if (m[1] === '`') {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } else if (m[1] === "'") {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } //  else {
-          //   throw new Error('how can it have matched RE and gotten here?');
-          // }
-          // i'm not sure what the proper handling of this is. if either char
-          // of the $$&`' sequence is tracked, then something the user input
-          // is manipulating the output, even if it is just duplicating what
-          // might be tracked or untracked input. does that count?
-        }
-        replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
-        if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
-        if (substitutionTags) {
-          data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
-          data._replacementOffset += (substitution.length - m[0].length);
+          // the following are valid whether the pattern is a regex or a string.
+          //
+          // any idea what order $&'` should be in from a most-common to least-
+          // common perspective? nfi.
+          let substitutionTags;
+          if (!substitutionDone) {
+            if (m[1] === '$') {
+              // this could actually be tracked but in order to do this "right"
+              // we have to be able to distinguish whether it is the first or
+              // the second $ that is tracked. so punt, and just ignore it, as
+              // originally implemented.
+              substitution = '$';
+              data._replacementOffset -= 1;
+            } else if (m[1] === '&') {
+              // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
+              // match). if tracked, handle it. do so by index, so we don't have to
+              // call replace again? e.g., string[m.index..m.index+2]
+              substitution = parsedArgs[0];
+            } else if (m[1] === '`') {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } else if (m[1] === "'") {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } //  else {
+            //   throw new Error('how can it have matched RE and gotten here?');
+            // }
+            // i'm not sure what the proper handling of this is. if either char
+            // of the $$&`' sequence is tracked, then something the user input
+            // is manipulating the output, even if it is just duplicating what
+            // might be tracked or untracked input. does that count?
+          }
+          replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
+          if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
+          if (substitutionTags) {
+            data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
+            data._replacementOffset += (substitution.length - m[0].length);
+          }
         }
       }
-    }
 
-    // coerce the replacement to a string, e.g., null => 'null'
-    replacement = String(replacement);
+      // coerce the replacement to a string, e.g., null => 'null'
+      replacement = String(replacement);
 
-    data._replacementInfo = tracker.getData(replacement);
-    if (data._replacementInfo) {
-      data._history.add(data._replacementInfo);
-    }
-
-    return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
-  }
+      data._replacementInfo = tracker.getData(replacement);
+      if (data._replacementInfo) {
+        data._history.add(data._replacementInfo);
+      }
 
-  function getReplacer(data) {
-    return function replacer(...args) {
-      const parsedArgs = parseArgs(args);
-      const match = parsedArgs[0];
-      const { index, input } = parsedArgs;
+      return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
+    },
+    //
+    getReplacer(data) {
+      return function replacer(...args) {
+        const parsedArgs = propagator.parseArgs(args);
+        const match = parsedArgs[0];
+        const { index, input } = parsedArgs;
 
-      const { _accumOffset, _accumTags } = data;
-      const { replacement, replacementTags } = getReplacementInfo(data, args, parsedArgs);
+        const { _accumOffset, _accumTags } = data;
+        const { replacement, replacementTags } = propagator.getReplacementInfo(data, args, parsedArgs);
 
-      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
-      const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
-      data._accumOffset += (replacement.length - match.length);
-      if (preTags || postTags || replacementTags) {
-        data._accumTags = createAppendTags(
-          createAppendTags(preTags, replacementTags, _accumOffset + index),
-          postTags,
-          data._accumOffset + index + match.length
-        );
-      } else {
-        data._accumTags = {};
-      }
-      return replacement;
-    };
-  }
+        const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
+        const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
+        data._accumOffset += (replacement.length - match.length);
+        if (preTags || postTags || replacementTags) {
+          data._accumTags = createAppendTags(
+            createAppendTags(preTags, replacementTags, _accumOffset + index),
+            postTags,
+            data._accumOffset + index + match.length
+          );
+        } else {
+          data._accumTags = {};
+        }
+        return replacement;
+      };
+    },
 
-  return core.assess.dataflow.propagation.stringInstrumentation.replace = {
     install() {
       const name = 'String.prototype.replace';
       const store = { name, lock: true };
@@ -215,20 +222,27 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         around(next, data) {
-          if (!getPropagatorContext()) return next();
+          const _next = !scopes.instrumentation.isLocked() ? () => scopes.instrumentation.run(store, next) : next;
+
+          if (!getPropagatorContext()) return _next();
 
           // setup state
           data._objInfo = tracker.getData(data.obj);
           data._replacement = data.args[1];
-          data._replacementType = typeof data._replacement;
           data._history = data._objInfo ? new Set([data._objInfo]) : new Set();
           data._accumTags = data._objInfo?.tags || {};
           data._accumOffset = 0;
           data._replacementOffset = 0;
 
-          data.args[1] = getReplacer(data);
+          // bail early if no constituents are tracked
+          if (
+            !data._objInfo &&
+            isString(data.args[1]) &&
+            !tracker.getData(data.args[1])
+          ) return _next();
 
-          const result = !scopes.instrumentation.isLocked() ? scopes.instrumentation.run(store, next) : next();
+          data.args[1] = propagator.getReplacer(data);
+          const result = _next();
 
           if (
             !result ||
@@ -285,4 +299,6 @@ module.exports = function(core) {
       String.prototype.replace = patcher.unwrap(String.prototype.replace);
     }
   };
+
+  return propagator;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.54.0",
+  "version": "1.54.1",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",