@contrast/assess 1.67.2 → 1.68.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -100,24 +100,24 @@ module.exports = function (core) {
|
|
|
100
100
|
|
|
101
101
|
if (!event) return;
|
|
102
102
|
|
|
103
|
+
let skipLib;
|
|
104
|
+
const stack = config.getEffectiveValue('assess.stacktraces') === 'NONE' ?
|
|
105
|
+
core.stackTraceFactory.create() :
|
|
106
|
+
event.stack;
|
|
107
|
+
|
|
103
108
|
// check stacktrace for trusted libraries
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
for
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
lib
|
|
117
|
-
);
|
|
118
|
-
if (file.indexOf(lib) >= 0) return;
|
|
119
|
-
}
|
|
120
|
-
}
|
|
109
|
+
for (const safeLib of SAFE_HASH_LIBS) {
|
|
110
|
+
if (stack.some((frame) => frame.indexOf(safeLib) >= 0)) skipLib = safeLib;
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
if (skipLib) {
|
|
114
|
+
logger.trace(
|
|
115
|
+
{ funcKey: data.funcKey },
|
|
116
|
+
'skipping reporting for %s - trusting %s',
|
|
117
|
+
Rule.CRYPTO_BAD_MAC,
|
|
118
|
+
skipLib
|
|
119
|
+
);
|
|
120
|
+
return;
|
|
121
121
|
}
|
|
122
122
|
|
|
123
123
|
cryptoAnalysis.report({ finding: event, ruleId: Rule.CRYPTO_BAD_MAC });
|
|
@@ -38,8 +38,8 @@ module.exports = Core.makeComponent({
|
|
|
38
38
|
tracker
|
|
39
39
|
}
|
|
40
40
|
},
|
|
41
|
+
stackTraceFactory,
|
|
41
42
|
config,
|
|
42
|
-
createSnapshot,
|
|
43
43
|
} = core;
|
|
44
44
|
|
|
45
45
|
const logger = core.logger.child({ name: 'contrast:sources' });
|
|
@@ -65,7 +65,7 @@ module.exports = Core.makeComponent({
|
|
|
65
65
|
sources.createStacktrace = function(stacktraceOpts) {
|
|
66
66
|
return config.assess.stacktraces === 'NONE' || config.assess.stacktraces === 'SINK'
|
|
67
67
|
? empties.ARRAY
|
|
68
|
-
:
|
|
68
|
+
: stackTraceFactory.create(stacktraceOpts);
|
|
69
69
|
};
|
|
70
70
|
|
|
71
71
|
sources.handle = function({
|
|
@@ -117,7 +117,7 @@ module.exports = Core.makeComponent({
|
|
|
117
117
|
result: { tracked: true, value },
|
|
118
118
|
};
|
|
119
119
|
|
|
120
|
-
const event = eventFactory.createSourceEvent(eventData)
|
|
120
|
+
const event = eventFactory.createSourceEvent(eventData);
|
|
121
121
|
if (event && onEvent) onEvent(event, fieldName, pathName);
|
|
122
122
|
|
|
123
123
|
return event;
|
package/lib/event-factory.js
CHANGED
|
@@ -15,9 +15,16 @@
|
|
|
15
15
|
|
|
16
16
|
'use strict';
|
|
17
17
|
|
|
18
|
-
const {
|
|
18
|
+
const {
|
|
19
|
+
Event,
|
|
20
|
+
InputType,
|
|
21
|
+
empties,
|
|
22
|
+
isString,
|
|
23
|
+
primordials: { StringPrototypeMatch }
|
|
24
|
+
} = require('@contrast/common');
|
|
19
25
|
const { ConfigSource } = require('@contrast/config');
|
|
20
26
|
const { Core } = require('@contrast/core/lib/ioc/core');
|
|
27
|
+
|
|
21
28
|
const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
|
|
22
29
|
const SOURCE_EVENT_MSG = 'Source event not created: %s';
|
|
23
30
|
const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
|
|
@@ -26,10 +33,10 @@ module.exports = Core.makeComponent({
|
|
|
26
33
|
name: 'assess.eventFactory',
|
|
27
34
|
factory(core) {
|
|
28
35
|
const {
|
|
29
|
-
createSnapshot,
|
|
30
36
|
config,
|
|
31
37
|
logger,
|
|
32
38
|
scopes: { sources },
|
|
39
|
+
stackTraceFactory,
|
|
33
40
|
} = core;
|
|
34
41
|
|
|
35
42
|
const eventFactory = core.assess.eventFactory = {};
|
|
@@ -62,7 +69,7 @@ module.exports = Core.makeComponent({
|
|
|
62
69
|
logger.debug(SOURCE_EVENT_MSG, `event has no tags: ${data.name}`);
|
|
63
70
|
return null;
|
|
64
71
|
}
|
|
65
|
-
if (!data.stack || !Array.isArray(data.stack)) {
|
|
72
|
+
if (!data.stack || (!Array.isArray(data.stack) && !isString(data.stack))) {
|
|
66
73
|
logger.debug(SOURCE_EVENT_MSG, `invalid stack: ${data.name}`);
|
|
67
74
|
return null;
|
|
68
75
|
}
|
|
@@ -102,7 +109,7 @@ module.exports = Core.makeComponent({
|
|
|
102
109
|
}
|
|
103
110
|
|
|
104
111
|
if (eventFactory.stacktraces === 'ALL') {
|
|
105
|
-
data.stack =
|
|
112
|
+
data.stack = stackTraceFactory.create(data.stacktraceOpts);
|
|
106
113
|
} else {
|
|
107
114
|
data.stack = empties.ARRAY;
|
|
108
115
|
}
|
|
@@ -144,7 +151,7 @@ module.exports = Core.makeComponent({
|
|
|
144
151
|
}
|
|
145
152
|
|
|
146
153
|
if (eventFactory.stacktraces !== 'NONE') {
|
|
147
|
-
data.stack =
|
|
154
|
+
data.stack = stackTraceFactory.create(data.stacktraceOpts);
|
|
148
155
|
} else {
|
|
149
156
|
data.stack = empties.ARRAY;
|
|
150
157
|
}
|
|
@@ -172,7 +179,7 @@ module.exports = Core.makeComponent({
|
|
|
172
179
|
return null;
|
|
173
180
|
}
|
|
174
181
|
if (eventFactory.stacktraces !== 'NONE') {
|
|
175
|
-
data.stack =
|
|
182
|
+
data.stack = stackTraceFactory.create(data.stacktraceOpts);
|
|
176
183
|
} else {
|
|
177
184
|
data.stack = empties.ARRAY;
|
|
178
185
|
}
|
|
@@ -213,7 +220,7 @@ module.exports = Core.makeComponent({
|
|
|
213
220
|
return null;
|
|
214
221
|
}
|
|
215
222
|
if (eventFactory.stacktraces !== 'NONE') {
|
|
216
|
-
data.stack =
|
|
223
|
+
data.stack = stackTraceFactory.create(data.stacktraceOpts);
|
|
217
224
|
} else {
|
|
218
225
|
data.stack = empties.ARRAY;
|
|
219
226
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/assess",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.68.0",
|
|
4
4
|
"description": "Contrast service providing framework-agnostic Assess support",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -20,18 +20,19 @@
|
|
|
20
20
|
"test": "bash ../scripts/test.sh"
|
|
21
21
|
},
|
|
22
22
|
"dependencies": {
|
|
23
|
-
"@contrast/common": "1.
|
|
24
|
-
"@contrast/config": "1.
|
|
25
|
-
"@contrast/core": "1.
|
|
26
|
-
"@contrast/dep-hooks": "1.
|
|
23
|
+
"@contrast/common": "1.40.0",
|
|
24
|
+
"@contrast/config": "1.56.0",
|
|
25
|
+
"@contrast/core": "1.61.0",
|
|
26
|
+
"@contrast/dep-hooks": "1.30.0",
|
|
27
27
|
"@contrast/distringuish": "^6.0.2",
|
|
28
|
-
"@contrast/instrumentation": "1.
|
|
29
|
-
"@contrast/logger": "1.
|
|
30
|
-
"@contrast/patcher": "1.
|
|
31
|
-
"@contrast/rewriter": "1.
|
|
32
|
-
"@contrast/route-coverage": "1.
|
|
33
|
-
"@contrast/scopes": "1.
|
|
34
|
-
"@contrast/sources": "1.
|
|
28
|
+
"@contrast/instrumentation": "1.40.0",
|
|
29
|
+
"@contrast/logger": "1.34.0",
|
|
30
|
+
"@contrast/patcher": "1.33.0",
|
|
31
|
+
"@contrast/rewriter": "1.38.0",
|
|
32
|
+
"@contrast/route-coverage": "1.54.0",
|
|
33
|
+
"@contrast/scopes": "1.31.0",
|
|
34
|
+
"@contrast/sources": "1.7.0",
|
|
35
|
+
"@contrast/stack-trace-factory": "1.1.0",
|
|
35
36
|
"semver": "^7.6.0"
|
|
36
37
|
}
|
|
37
38
|
}
|