@contrast/assess 1.58.2 → 1.59.0

package/lib/dataflow/propagation/install/util-format.js

@@ -24,12 +24,35 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect,
       getPropagatorContext,
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }
   } = core;
 
+  function traverseObject(obj, result, tags, history, depth = 1) {
+    let i = 0;
+    for (const val of Object.values(obj)) {
+
+      if (typeof val === 'object' && depth <= 4) tags = traverseObject(val, result, tags, history, depth += 1);
+
+      const valInfo = tracker.getData(val);
+      if (!valInfo || depth > 4) break;
+
+      const currIdx = result.indexOf(val, i);
+      if (currIdx > -1) {
+        i = currIdx + val.length;
+      } else {
+        break;
+      }
+      tags = createAppendTags(tags, valInfo.tags, currIdx);
+      history.push({ ...valInfo });
+    }
+
+    return tags;
+  }
+
   return core.assess.dataflow.propagation.utilFormat = {
     install() {
       depHooks.resolve({ name: 'util', version: '*' }, (util) => {
@@ -57,13 +80,14 @@ module.exports = function(core) {
 
             for (i; i < args.length; i++) {
               let arg = args[i];
+              if (!arg) continue;
+
               const formatChar = formatChars[i - 1];
               if (formatChar) {
                 switch (formatChar) {
                   case 's':
                     if (typeof arg === 'object') {
-                      // util.inspect instrumentation NYI
-                      arg = arg?.toString ? arg.toString() : util.inspect(arg, { depth: 0, colors: false, compact: 3 });
+                      break; // handled below
                     } else {
                       arg = String(arg);
                     }
@@ -77,36 +101,35 @@ module.exports = function(core) {
                     arg = JSON.stringify(arg) ?? 'undefined';
                     break;
                   case 'o':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg, { showHidden: true, showProxy: true });
-                    break;
+                    break; // handled below
                   case 'O':
-                    // util.inspect instrumentation NYI
-                    arg = util.inspect(arg);
-                    break;
+                    break; // handled below
                   case 'c':
                     // c is ignored and skipped
                     arg = '';
                     break;
                 }
               } else if (typeof arg !== 'string') {
-                arg = util.inspect(arg);
+                arg = inspect(arg);
               }
 
-              const argInfo = tracker.getData(arg);
-              if (!argInfo) continue;
+              if (typeof arg === 'string') {
+                const argInfo = tracker.getData(arg);
+                if (!argInfo) continue;
 
-              const currIdx = result.indexOf(arg, idx);
-              if (currIdx > -1) {
-                idx = currIdx + arg.length;
-              } else {
-                continue;
+                const currIdx = result.indexOf(arg, idx);
+                if (currIdx > -1) {
+                  idx = currIdx + arg.length;
+                } else {
+                  continue;
+                }
+                newTags = createAppendTags(newTags, argInfo.tags, currIdx);
+                history.push({ ...argInfo });
+                eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
+              } else if (typeof arg === 'object') {
+                newTags = traverseObject(arg, result, newTags, history);
+                eventArgs.push({ value: inspect(arg), tracked: false });
               }
-
-              newTags = createAppendTags(newTags, argInfo.tags, currIdx);
-
-              history.push({ ...argInfo });
-              eventArgs.push({ value: argInfo ? argInfo.value : arg, tracked: !!argInfo });
             }
 
             const resultInfo = tracker.getData(result);

package/lib/dataflow/sources/install/body-parser.js

@@ -85,7 +85,7 @@ module.exports = function init(core) {
           },
         });
 
-        sourceContext.parsedBody = !!Object.keys(_data).length;
+        sourceContext.parsedBody = !!(_data && Object.keys(_data).length);
       } catch (err) {
         logger.error({ err, funcKey: data.funcKey }, 'unable to handle source');
       }

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -51,7 +52,8 @@ module.exports = (core) => {
               }
 
               data.args[1] = async function contrastNext(origErr) {
-                const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
+                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+                const inputType = contentType?.includes?.('/json')
                   ? InputType.JSON_VALUE
                   : typeof ctx.request.body == 'object'
                     ? InputType.PARAMETER_VALUE

package/lib/dataflow/sources/install/qs6.js

@@ -23,6 +23,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
     assess: {
       getSourceContext,
       dataflow: { sources }
@@ -38,21 +39,20 @@ module.exports = (core) => {
         patchType,
         post({ args, hooked, orig, result, funcKey }) {
           const sourceContext = getSourceContext();
-
-          if (!sourceContext) {
-            return;
-          }
+          if (!sourceContext) return;
 
           if (sourceContext.parsedQuery) {
             logger.trace({ inputType, funcKey }, 'values already tracked');
             return;
           }
 
+          const queries = scopes.sources.getStore()?.sourceInfo?.queries;
+
           // We need to run analysis for the `qs` result only when it's used as a query parser.
           // `qs` is used also for parsing bodies, but these cases we handle individually with
           // the respective library that's using it (e.g. `formidable`, `co-body`) because in
           // some cases its use is optional and we cannot rely on it.
-          if (sourceContext.reqData?.queries === args[0]) {
+          if (queries === args[0]) {
             try {
               sources.handle({
                 context: 'req.query',

package/lib/dataflow/sources/install/querystring.js

@@ -24,6 +24,7 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
+    scopes,
   } = core;
 
   core.assess.dataflow.sources.querystringInstrumentation = {
@@ -46,7 +47,7 @@ module.exports = (core) => {
 
             // We only run analysis for the `querystring` result when it's used
             // as the framework's query parser
-            if (sourceContext.reqData?.queries === args[0]) {
+            if (scopes.sources.getStore().sourceInfo?.queries === args[0]) {
               try {
                 core.assess.dataflow.sources.handle({
                   context: 'req.query',

package/lib/index.d.ts

@@ -38,7 +38,6 @@ export interface Core extends _Core {
 }
 
 export interface SourceContext {
-  reqData: object,
   responseData: {
     contentType: string,
   },

package/lib/make-source-context.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
 
 /**
@@ -33,57 +32,28 @@ function factory(core) {
   const { assess, logger } = core;
 
   /**
+   * todo: how to handle non-HTTP sources
    * @returns {import('@contrast/assess').SourceContext}
    */
-  return core.assess.makeSourceContext = function(sourceData) {
-    try {
+  return core.assess.makeSourceContext = function ({ store, incomingMessage: req }) {
 
-      const ctx = sourceData.store.assess = {
+    try {
+      const ctx = store.assess = {
         // default policy to `null` until it is set later below. this will cause
         // all instrumentation to short-circuit, see `./get-source-context.js`.
         policy: null,
       };
 
-      if (!core.config.getEffectiveValue('assess.enable')) {
-        return ctx;
-      }
-
-      // todo: how to handle non-HTTP sources
-      const { incomingMessage: req } = sourceData;
-
-      // minimally process the request data for sampling and exclusions.
-      // more request fields will be appended in final result below.
-      let uriPath;
-      let queries;
-      const idx = req.url.indexOf('?');
-      if (idx >= 0) {
-        uriPath = StringPrototypeSlice.call(req.url, 0, idx);
-        queries = StringPrototypeSlice.call(req.url, idx + 1);
-      } else {
-        uriPath = req.url;
-        queries = '';
-      }
-      ctx.reqData = {
-        method: req.method,
-        uriPath,
-        queries,
-      };
+      if (!core.config.getEffectiveValue('assess.enable')) return ctx;
 
       // check whether sampling allows processing
-      ctx.sampleInfo = assess.sampler?.getSampleInfo(sourceData) ?? null;
+      ctx.sampleInfo = assess.sampler?.getSampleInfo(store.sourceInfo) ?? null;
       if (ctx.sampleInfo?.canSample === false) return ctx;
 
       // set policy - can be returned as `null` if request is url-excluded.
-      ctx.policy = assess.getPolicy(ctx.reqData);
+      ctx.policy = assess.getPolicy(store.sourceInfo);
       if (!ctx.policy) return ctx;
 
-      // build remaining reqData
-      ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
-      ctx.reqData.ip = req.socket.remoteAddress;
-      ctx.reqData.httpVersion = req.httpVersion;
-      if (ctx.reqData.headers['content-type'])
-        ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
-
       ctx.propagationEventsCount = 0;
       ctx.sourceEventsCount = 0;
       ctx.responseData = {};

package/lib/sampler/common.js

@@ -31,23 +31,22 @@ class RouteAnalysisMonitor {
   }
 
   /**
-   * @param {object} reqData
-   * @param {string} reqData.uriPath
+   * @param {import('@contrast/common').SourceInfo} sourceInfo
+   * @param {string} sourceInfo.normalizedUri
    * @returns {AnalysisInfo}
    */
-  getAnalysisInfo({ method, uriPath }) {
-    const normalizedUrl = this._core.routeCoverage.uriPathToNormalizedUrl(uriPath);
+  getAnalysisInfo({ method, normalizedUri }) {
     const now = Date.now();
 
-    if (normalizedUrl) {
-      const key = `${method}:${normalizedUrl}`;
+    if (normalizedUri) {
+      const key = `${method}:${normalizedUri}`;
       let routeMeta = this._normalCache.get(key);
 
       // not in cache, not paused
       if (!routeMeta) {
         routeMeta = {
           pauseEnd: now + this._ttl,
-          normalizedUrl,
+          normalizedUrl: normalizedUri,
         };
         this._normalCache.set(key, routeMeta);
 
@@ -64,8 +63,6 @@ class RouteAnalysisMonitor {
 
       // was in cache and still paused
       return { paused: true, ...routeMeta };
-    } else {
-      // todo - handle "dynamic" routes
     }
 
     return this._defaultAnalysisInfo;
@@ -105,7 +102,6 @@ class ProbabilisticSampler extends BaseSampler {
 
   getSampleInfo(sourceInfo) {
     const { baseline, base_probability } = this.opts;
-    const { reqData } = sourceInfo.store.assess;
 
     if (this.baseline < baseline) {
       this.baseline++;
@@ -119,7 +115,7 @@ class ProbabilisticSampler extends BaseSampler {
 
     // check route monitoring before sampling
     if (canSample) {
-      const routeInfo = this.routeMonitor?.getAnalysisInfo(reqData);
+      const routeInfo = this.routeMonitor?.getAnalysisInfo(sourceInfo);
 
       if (routeInfo) {
         // don't sample if analysis is paused

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.58.2",
+  "version": "1.59.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,17 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.33.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/rewriter": "1.30.2",
-    "@contrast/route-coverage": "1.45.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/instrumentation": "1.34.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/route-coverage": "1.46.0",
+    "@contrast/scopes": "1.25.0",
+    "@contrast/sources": "1.1.0",
     "semver": "^7.6.0"
   }
 }