npm - @contrast/assess - Versions diffs - 1.54.0 → 1.55.0 - Mend

@contrast/assess 1.54.0 → 1.55.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/dataflow/propagation/install/string/replace.js +168 -152
package/lib/dataflow/sources/install/fastify/fastify.js +3 -0
package/package.json +10 -10

package/lib/dataflow/propagation/install/string/replace.js CHANGED Viewed

@@ -23,7 +23,8 @@ const {
     StringPrototypeReplace,
     StringPrototypeReplaceAll,
     StringPrototypeSubstring
-  }
+  },
+  isString,
 } = require('@contrast/common');
 const {
   createSubsetTags,
@@ -43,170 +44,176 @@ module.exports = function(core) {
     },
   } = core;
-  function parseArgs(args) {
-    //
-    // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
-    // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
-    //
-    const r = [];
-    let ix = -1;
-    if (typeof args.at(-1) === 'object') {
-      r.groups = args.at(-1);
-      ix = -2;
-    }
-    r.input = args.at(ix);
-    ix -= 1;
-    r.index = args.at(ix);
+  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
+  const STR_REPS = /\$(\$|&|`|')/g;
-    // ix is negative from the end, so add it
-    ix = args.length + ix;
-    for (let i = 0; i < ix; i++) {
-      r.push(args[i]);
-    }
+  const propagator = core.assess.dataflow.propagation.stringInstrumentation.replace = {
+    //
+    parseArgs(args) {
+      //
+      // convert replace args (match, p1, p2, ..., matchIdx, str, ?groups) to
+      // re.exec(string) format [match, g1, g2, ..., index: N, input: '', groups?]
+      //
+      const r = [];
+      let ix = -1;
+      if (typeof args.at(-1) === 'object') {
+        r.groups = args.at(-1);
+        ix = -2;
+      }
+      r.input = args.at(ix);
+      ix -= 1;
+      r.index = args.at(ix);
-    return r;
-  }
+      // ix is negative from the end, so add it
+      ix = args.length + ix;
+      for (let i = 0; i < ix; i++) {
+        r.push(args[i]);
+      }
-  const RE_REPS = /\$(\$|&|`|'|[1-9][0-9]?|<[a-zA-Z0-9_]+>)/g;
-  const STR_REPS = /\$(\$|&|`|')/g;
+      return r;
+    },
+    //
+    getReplacementInfo(data, replacerArgs, parsedArgs) {
+      // patternIsRE is two different flags, both booleans.
+      // - set true if the first argument to String.prototype.replace is an RE.
+      // - after the $N, $<name> checks, it flags that a substitution was made.
+      const patternIsRE = data.args[0] instanceof RegExp;
+      let replacement;
+      if (typeof data._replacement === 'function') {
+        // no special replacements apply to the string returned by a replacement
+        // function.
+        replacement = data._replacement.call(global, ...replacerArgs);
+      } else {
+        // if it's not a function then the valid special replacements depend on
+        // whether the pattern is a regex or a string. first find substitution
+        // patterns present in the replacement string. Don't find patterns that
+        // aren't valid, e.g., $0, $<name> when the pattern is a string.
+        replacement = String(data._replacement);
-  function getReplacementInfo(data, replacerArgs, parsedArgs) {
-    // patternIsRE is two different flags, both booleans.
-    // - set true if the first argument to String.prototype.replace is an RE.
-    // - after the $N, $<name> checks, it flags that a substitution was made.
-    const patternIsRE = data.args[0] instanceof RegExp;
-    let replacement;
-    if (typeof data._replacement === 'function') {
-      // no special replacements apply to the string returned by a replacement
-      // function.
-      replacement = data._replacement.call(global, ...replacerArgs);
-    } else {
-      // if it's not a function then the valid special replacements depend on
-      // whether the pattern is a regex or a string. first find substitution
-      // patterns present in the replacement string. Don't find patterns that
-      // aren't valid, e.g., $0, $<name> when the pattern is a string.
-      replacement = String(data._replacement);
+        const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
-      const matches = StringPrototypeMatchAll.call(replacement, patternIsRE ? RE_REPS : STR_REPS);
+        for (const m of matches) {
+          let substitution;
+          let substitutionDone = false;
+          // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
+          // if the pattern is a regex, then $1 to $99 and $<name> are valid
+          if (patternIsRE) {
+            // my guess is $1 to $99 are most likely, after that, who knows? so
+            // we check named groups next, because 1) they seem more useful than
+            // the other $ patterns and 2) they are in the same patternIsRE test.
+            //
+            // in any case, the following will be false if m[1][0] is not a number.
+            if (m[1][0] >= 1 && m[1][0] <= 9) {
+              // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
+              if (parsedArgs[m[1]] === undefined) {
+                if (m[1] in parsedArgs) {
+                  // need to remove $m[1] from replacement pattern. N.B. this could
+                  // mess up if the replacement text contains text that matches a
+                  // subsequent replacement (either RE or string).
+                  replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                } else {
+                  // no capture groups in RegExp
+                  substitution = replacement;
+                }
-      for (const m of matches) {
-        let substitution;
-        let substitutionDone = false;
-        // format of m: ['$`', '`', index: 0, input: string, groups: undefined|{}]
-        // if the pattern is a regex, then $1 to $99 and $<name> are valid
-        if (patternIsRE) {
-          // my guess is $1 to $99 are most likely, after that, who knows? so
-          // we check named groups next, because 1) they seem more useful than
-          // the other $ patterns and 2) they are in the same patternIsRE test.
-          //
-          // in any case, the following will be false if m[1][0] is not a number.
-          if (m[1][0] >= 1 && m[1][0] <= 9) {
-            //const group = Number(m[1]);
-            // a group might not be present, e.g., (pattern)?(a) or (a)|(b).
-            if (parsedArgs[m[1]] === undefined && m[1] in parsedArgs) {
-              // need to remove $m[1] from replacement pattern. N.B. this could
-              // mess up if the replacement text contains text that matches a
-              // subsequent replacement (either RE or string).
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
+                continue;
+              }
+              substitution = parsedArgs[m[1]];
+              substitutionDone = true;
+            } else if (m[1][0] === '<') {
+              // named group
+              const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
+              if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
+                // remove $<groupName> from the replacement pattern. N.B. this
+                // also could mess up if the replacement text containts text that
+                // matches a subsequent replacement.
+                replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
+                continue;
+              }
+              substitution = parsedArgs.groups[groupName];
+              substitutionDone = true;
             }
-            substitution = parsedArgs[m[1]];
-            substitutionDone = true;
-          } else if (m[1][0] === '<') {
-            // named group
-            const groupName = StringPrototypeSubstring.call(m[1], 1, m[1].length - 1);
-            if (parsedArgs.groups[groupName] === undefined && groupName in parsedArgs.groups) {
-              // remove $<groupName> from the replacement pattern. N.B. this
-              // also could mess up if the replacement text containts text that
-              // matches a subsequent replacement.
-              replacement = StringPrototypeReplaceAll.call(replacement, m[0], '');
-              continue;
-            }
-            substitution = parsedArgs.groups[groupName];
-            substitutionDone = true;
           }
-        }
-        // the following are valid whether the pattern is a regex or a string.
-        //
-        // any idea what order $&'` should be in from a most-common to least-
-        // common perspective? nfi.
-        let substitutionTags;
-        if (!substitutionDone) {
-          if (m[1] === '$') {
-            // this could actually be tracked but in order to do this "right"
-            // we have to be able to distinguish whether it is the first or
-            // the second $ that is tracked. so punt, and just ignore it, as
-            // originally implemented.
-            substitution = '$';
-            data._replacementOffset -= 1;
-          } else if (m[1] === '&') {
-            // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
-            // match). if tracked, handle it. do so by index, so we don't have to
-            // call replace again? e.g., string[m.index..m.index+2]
-            substitution = parsedArgs[0];
-          } else if (m[1] === '`') {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } else if (m[1] === "'") {
-            const info = tracker.getData(parsedArgs.input);
-            substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
-            substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
-          } //  else {
-          //   throw new Error('how can it have matched RE and gotten here?');
-          // }
-          // i'm not sure what the proper handling of this is. if either char
-          // of the $$&`' sequence is tracked, then something the user input
-          // is manipulating the output, even if it is just duplicating what
-          // might be tracked or untracked input. does that count?
-        }
-        replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
-        if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
-        if (substitutionTags) {
-          data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
-          data._replacementOffset += (substitution.length - m[0].length);
+          // the following are valid whether the pattern is a regex or a string.
+          //
+          // any idea what order $&'` should be in from a most-common to least-
+          // common perspective? nfi.
+          let substitutionTags;
+          if (!substitutionDone) {
+            if (m[1] === '$') {
+              // this could actually be tracked but in order to do this "right"
+              // we have to be able to distinguish whether it is the first or
+              // the second $ that is tracked. so punt, and just ignore it, as
+              // originally implemented.
+              substitution = '$';
+              data._replacementOffset -= 1;
+            } else if (m[1] === '&') {
+              // replace these '$&' in parsedArgs[0] (replacerArgs[0], i.e., the
+              // match). if tracked, handle it. do so by index, so we don't have to
+              // call replace again? e.g., string[m.index..m.index+2]
+              substitution = parsedArgs[0];
+            } else if (m[1] === '`') {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, 0, parsedArgs.index);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } else if (m[1] === "'") {
+              const info = tracker.getData(parsedArgs.input);
+              substitution = StringPrototypeSubstring.call(parsedArgs.input, parsedArgs.index + parsedArgs[0].length);
+              substitutionTags = createSubsetTags(info.tags, parsedArgs.index, substitution.length);
+            } //  else {
+            //   throw new Error('how can it have matched RE and gotten here?');
+            // }
+            // i'm not sure what the proper handling of this is. if either char
+            // of the $$&`' sequence is tracked, then something the user input
+            // is manipulating the output, even if it is just duplicating what
+            // might be tracked or untracked input. does that count?
+          }
+          replacement = StringPrototypeReplace.call(replacement, m[0], substitution);
+          if (!substitutionTags && tracker.getData(substitution)) substitutionTags = tracker.getData(substitution)?.tags;
+          if (substitutionTags) {
+            data._replacementTags = createAppendTags(data._replacementTags || {}, substitutionTags, m.index + data._replacementOffset);
+            data._replacementOffset += (substitution.length - m[0].length);
+          }
         }
       }
-    }
-    // coerce the replacement to a string, e.g., null => 'null'
-    replacement = String(replacement);
+      // coerce the replacement to a string, e.g., null => 'null'
+      replacement = String(replacement);
-    data._replacementInfo = tracker.getData(replacement);
-    if (data._replacementInfo) {
-      data._history.add(data._replacementInfo);
-    }
-    return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
-  }
+      data._replacementInfo = tracker.getData(replacement);
+      if (data._replacementInfo) {
+        data._history.add(data._replacementInfo);
+      }
-  function getReplacer(data) {
-    return function replacer(...args) {
-      const parsedArgs = parseArgs(args);
-      const match = parsedArgs[0];
-      const { index, input } = parsedArgs;
+      return { replacement, replacementTags: data._replacementTags || data._replacementInfo?.tags };
+    },
+    //
+    getReplacer(data) {
+      return function replacer(...args) {
+        const parsedArgs = propagator.parseArgs(args);
+        const match = parsedArgs[0];
+        const { index, input } = parsedArgs;
-      const { _accumOffset, _accumTags } = data;
-      const { replacement, replacementTags } = getReplacementInfo(data, args, parsedArgs);
+        const { _accumOffset, _accumTags } = data;
+        const { replacement, replacementTags } = propagator.getReplacementInfo(data, args, parsedArgs);
-      const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
-      const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
-      data._accumOffset += (replacement.length - match.length);
-      if (preTags || postTags || replacementTags) {
-        data._accumTags = createAppendTags(
-          createAppendTags(preTags, replacementTags, _accumOffset + index),
-          postTags,
-          data._accumOffset + index + match.length
-        );
-      } else {
-        data._accumTags = {};
-      }
-      return replacement;
-    };
-  }
+        const preTags = createSubsetTags(_accumTags, 0, _accumOffset + index);
+        const postTags = createSubsetTags(_accumTags, _accumOffset + index + match.length, input.length - index - match.length);
+        data._accumOffset += (replacement.length - match.length);
+        if (preTags || postTags || replacementTags) {
+          data._accumTags = createAppendTags(
+            createAppendTags(preTags, replacementTags, _accumOffset + index),
+            postTags,
+            data._accumOffset + index + match.length
+          );
+        } else {
+          data._accumTags = {};
+        }
+        return replacement;
+      };
+    },
-  return core.assess.dataflow.propagation.stringInstrumentation.replace = {
     install() {
       const name = 'String.prototype.replace';
       const store = { name, lock: true };
@@ -215,20 +222,27 @@ module.exports = function(core) {
         patchType,
         usePerf: 'sync',
         around(next, data) {
-          if (!getPropagatorContext()) return next();
+          const _next = !scopes.instrumentation.isLocked() ? () => scopes.instrumentation.run(store, next) : next;
+          if (!getPropagatorContext()) return _next();
           // setup state
           data._objInfo = tracker.getData(data.obj);
           data._replacement = data.args[1];
-          data._replacementType = typeof data._replacement;
           data._history = data._objInfo ? new Set([data._objInfo]) : new Set();
           data._accumTags = data._objInfo?.tags || {};
           data._accumOffset = 0;
           data._replacementOffset = 0;
-          data.args[1] = getReplacer(data);
+          // bail early if no constituents are tracked
+          if (
+            !data._objInfo &&
+            isString(data.args[1]) &&
+            !tracker.getData(data.args[1])
+          ) return _next();
-          const result = !scopes.instrumentation.isLocked() ? scopes.instrumentation.run(store, next) : next();
+          data.args[1] = propagator.getReplacer(data);
+          const result = _next();
           if (
             !result ||
@@ -285,4 +299,6 @@ module.exports = function(core) {
       String.prototype.replace = patcher.unwrap(String.prototype.replace);
     }
   };
+  return propagator;
 };

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -36,6 +36,9 @@ module.exports = function (core) {
         patchType,
         post({ result: server, funcKey }) {
           server.addHook('preValidation', function preValidationHandler(request, reply, done) {
+            // todo(NODE-3793): support for @fastify/websocket
+            if (request.constructor.name == 'WebSocket') return;
             const sourceContext = getSourceContext();
             if (!sourceContext) return done();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.54.0",
+  "version": "1.55.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.46.0",
-    "@contrast/core": "1.51.0",
-    "@contrast/dep-hooks": "1.20.0",
+    "@contrast/config": "1.47.0",
+    "@contrast/core": "1.52.0",
+    "@contrast/dep-hooks": "1.21.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.30.0",
-    "@contrast/logger": "1.24.0",
-    "@contrast/patcher": "1.23.0",
-    "@contrast/rewriter": "1.27.0",
-    "@contrast/route-coverage": "1.42.0",
-    "@contrast/scopes": "1.21.0",
+    "@contrast/instrumentation": "1.31.0",
+    "@contrast/logger": "1.25.0",
+    "@contrast/patcher": "1.24.0",
+    "@contrast/rewriter": "1.28.0",
+    "@contrast/route-coverage": "1.43.0",
+    "@contrast/scopes": "1.22.0",
     "semver": "^7.6.0"
   }
 }