@contrast/assess 1.60.0 → 1.62.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/dataflow/sinks/install/http/server-response.js +1 -12
- package/lib/dataflow/sinks/install/restify.js +1 -1
- package/lib/dataflow/sources/install/http.js +1 -1
- package/lib/dataflow/tracker.js +1 -1
- package/lib/get-source-context.js +1 -1
- package/lib/response-scanning/install/http.js +0 -12
- package/package.json +14 -14
|
@@ -77,7 +77,7 @@ module.exports = function(core) {
|
|
|
77
77
|
];
|
|
78
78
|
|
|
79
79
|
const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => {
|
|
80
|
-
const methodName = `${responseName
|
|
80
|
+
const methodName = `${`${responseName}.prototype`}.${method}`;
|
|
81
81
|
const name = `${moduleName}.${methodName}`;
|
|
82
82
|
const sourceContext = getSinkContext(ruleId);
|
|
83
83
|
if (!sourceContext) return;
|
|
@@ -91,7 +91,6 @@ module.exports = function(core) {
|
|
|
91
91
|
const { contentType } = sourceContext.responseData;
|
|
92
92
|
if (contentType && isSafeContentType(contentType)) return;
|
|
93
93
|
|
|
94
|
-
if (moduleName === 'spdy') response.spdyStream.once('finish', () => response.emit('finish'));
|
|
95
94
|
if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
|
|
96
95
|
const event = createSinkEvent({
|
|
97
96
|
args: [{
|
|
@@ -175,16 +174,6 @@ module.exports = function(core) {
|
|
|
175
174
|
});
|
|
176
175
|
}
|
|
177
176
|
});
|
|
178
|
-
depHooks.resolve({ name: 'spdy', version: '<5', file: 'lib/spdy/response.js' }, (response) => {
|
|
179
|
-
{
|
|
180
|
-
const method = 'end';
|
|
181
|
-
patcher.patch(response, method, {
|
|
182
|
-
name: 'spdy.response.end',
|
|
183
|
-
patchType,
|
|
184
|
-
pre: preHook('spdy', 'response', method),
|
|
185
|
-
});
|
|
186
|
-
}
|
|
187
|
-
});
|
|
188
177
|
};
|
|
189
178
|
|
|
190
179
|
return http;
|
|
@@ -113,7 +113,7 @@ module.exports = function(core) {
|
|
|
113
113
|
install() {
|
|
114
114
|
// restify adds functionality to the built-in response via this patch function.
|
|
115
115
|
// once it returns the request, it'll have been decorated with redirect() method.
|
|
116
|
-
depHooks.resolve({ name: 'restify', version: '<12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
|
|
116
|
+
depHooks.resolve({ name: 'restify', version: '>=10 <12', file: 'lib/response.js' }, (responsePatch) => patcher.patch(responsePatch, {
|
|
117
117
|
name: 'restify.response.patch',
|
|
118
118
|
patchType,
|
|
119
119
|
post(data) {
|
package/lib/dataflow/tracker.js
CHANGED
|
@@ -65,7 +65,7 @@ module.exports = function tracker(core) {
|
|
|
65
65
|
|
|
66
66
|
if (distringuish.getProperties(value)) {
|
|
67
67
|
const err = new Error();
|
|
68
|
-
logger.
|
|
68
|
+
logger.debug({ err, value }, 'tracker.track called with a string value that is already tracked');
|
|
69
69
|
return { extern: null };
|
|
70
70
|
}
|
|
71
71
|
|
|
@@ -101,7 +101,7 @@ function factory(core) {
|
|
|
101
101
|
// that the caller previously logged, we generate a stack trace to
|
|
102
102
|
// capture that information.
|
|
103
103
|
const err = new Error('No source context found');
|
|
104
|
-
core.logger.
|
|
104
|
+
core.logger.debug({ err }, 'assess running outside of request scope');
|
|
105
105
|
return null;
|
|
106
106
|
}
|
|
107
107
|
|
|
@@ -146,18 +146,6 @@ module.exports = function(core) {
|
|
|
146
146
|
});
|
|
147
147
|
}
|
|
148
148
|
});
|
|
149
|
-
|
|
150
|
-
depHooks.resolve({ name: 'spdy', version: '<5', file: 'lib/spdy/response.js' }, (response) => {
|
|
151
|
-
patcher.patch(response, 'end', {
|
|
152
|
-
name: 'spdy.response.end',
|
|
153
|
-
patchType: 'test',
|
|
154
|
-
post(data) {
|
|
155
|
-
const sourceContext = getSourceContext();
|
|
156
|
-
if (!sourceContext) return;
|
|
157
|
-
endHookChecks(sourceContext, data.obj.getHeaders?.(), StringPrototypeToLowerCase.call(data.args[0] || ''));
|
|
158
|
-
}
|
|
159
|
-
});
|
|
160
|
-
});
|
|
161
149
|
};
|
|
162
150
|
|
|
163
151
|
return http;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/assess",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.62.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Assess support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -14,24 +14,24 @@
|
|
|
14
14
|
"types": "lib/index.d.ts",
|
|
15
15
|
"engines": {
|
|
16
16
|
"npm": ">=6.13.7 <7 || >= 8.3.1",
|
|
17
|
-
"node": ">=
|
|
17
|
+
"node": ">= 18.7.0"
|
|
18
18
|
},
|
|
19
19
|
"scripts": {
|
|
20
20
|
"test": "bash ../scripts/test.sh"
|
|
21
21
|
},
|
|
22
22
|
"dependencies": {
|
|
23
|
-
"@contrast/common": "1.
|
|
24
|
-
"@contrast/config": "1.
|
|
25
|
-
"@contrast/core": "1.
|
|
26
|
-
"@contrast/dep-hooks": "1.
|
|
27
|
-
"@contrast/distringuish": "^
|
|
28
|
-
"@contrast/instrumentation": "1.
|
|
29
|
-
"@contrast/logger": "1.
|
|
30
|
-
"@contrast/patcher": "1.
|
|
31
|
-
"@contrast/rewriter": "1.
|
|
32
|
-
"@contrast/route-coverage": "1.
|
|
33
|
-
"@contrast/scopes": "1.
|
|
34
|
-
"@contrast/sources": "1.
|
|
23
|
+
"@contrast/common": "1.37.0",
|
|
24
|
+
"@contrast/config": "1.52.0",
|
|
25
|
+
"@contrast/core": "1.57.0",
|
|
26
|
+
"@contrast/dep-hooks": "1.26.0",
|
|
27
|
+
"@contrast/distringuish": "^6.0.2",
|
|
28
|
+
"@contrast/instrumentation": "1.36.0",
|
|
29
|
+
"@contrast/logger": "1.30.0",
|
|
30
|
+
"@contrast/patcher": "1.29.0",
|
|
31
|
+
"@contrast/rewriter": "1.33.0",
|
|
32
|
+
"@contrast/route-coverage": "1.49.0",
|
|
33
|
+
"@contrast/scopes": "1.27.0",
|
|
34
|
+
"@contrast/sources": "1.3.0",
|
|
35
35
|
"semver": "^7.6.0"
|
|
36
36
|
}
|
|
37
37
|
}
|