@contrast/assess 1.71.1 → 1.73.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/lib/dataflow/propagation/install/JSON/parse.js +1 -2
  2. package/lib/dataflow/sinks/install/sqlite3.js +19 -6
  3. package/lib/dataflow/sources/index.js +1 -1
  4. package/lib/dataflow/sources/install/{multer1.js → multer.js} +3 -3
  5. package/package.json +4 -4
package/lib/dataflow/propagation/install/JSON/parse.js CHANGED
@@ -59,7 +59,7 @@ module.exports = function (core) {
59
59
  const method = 'JSON.parse';
60
60
  const eventArgs = [
61
61
  {
62
- value: data.args[0],
62
+ value: strInfo.value,
63
63
  tracked: true,
64
64
  },
65
65
  reviver && {
@@ -88,7 +88,6 @@ module.exports = function (core) {
88
88
  value,
89
89
  tracked: true,
90
90
  },
91
- value,
92
91
  tags: newTags,
93
92
  stacktraceOpts: {
94
93
  constructorOpt: data.hooked,
package/lib/dataflow/sinks/install/sqlite3.js CHANGED
@@ -57,7 +57,7 @@ module.exports = function(core) {
57
57
  },
58
58
  } = core;
59
59
 
60
- const pre = (name, method) => (data) => {
60
+ const pre = (moduleName, method) => (data, info) => {
61
61
  if (
62
62
  !getSinkContext(ruleId) ||
63
63
  !data.args[0] ||
@@ -70,16 +70,17 @@ module.exports = function(core) {
70
70
  return;
71
71
  }
72
72
 
73
+ const methodName = `Database.prototype.${method}`;
73
74
  const event = createSinkEvent({
74
- name,
75
- moduleName: 'sqlite3',
76
- methodName: `Database.prototype.${method}`,
75
+ name: `${moduleName}.${methodName}`,
76
+ moduleName,
77
+ methodName,
77
78
  get context() {
78
79
  return `db.${method}('${strInfo.value}')`;
79
80
  },
80
81
  history: [strInfo],
81
82
  object: {
82
- value: 'sqlite3.Database',
83
+ value: `${moduleName}.Database`,
83
84
  tracked: false,
84
85
  },
85
86
  args: [
@@ -106,13 +107,25 @@ module.exports = function(core) {
106
107
 
107
108
  core.assess.dataflow.sinks.sqlite3 = {
108
109
  install() {
110
+
111
+ depHooks.resolve({ name: 'better-sqlite3', version: '<13'}, betterSqlite3 => {
112
+ ['exec', 'prepare'].forEach((method) => {
113
+ const name = `better-sqlite3.prototype.${method}`;
114
+ patcher.patch(betterSqlite3.prototype, method, {
115
+ name,
116
+ patchType,
117
+ pre: pre('better-sqlite3', method)
118
+ });
119
+ });
120
+ });
121
+
109
122
  depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
110
123
  ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
111
124
  const name = `sqlite3.Database.prototype.${method}`;
112
125
  patcher.patch(sqlite3.Database.prototype, method, {
113
126
  name,
114
127
  patchType,
115
- pre: pre(name, method)
128
+ pre: pre('sqlite3', method)
116
129
  });
117
130
  });
118
131
  });
package/lib/dataflow/sources/index.js CHANGED
@@ -35,7 +35,7 @@ module.exports = function (core) {
35
35
  require('./install/http')(core);
36
36
  require('./install/qs6')(core);
37
37
  require('./install/querystring')(core);
38
- require('./install/multer1')(core);
38
+ require('./install/multer')(core);
39
39
  core.initComponentSync(require('./install/socket.io'));
40
40
 
41
41
  sources.install = function install() {
package/lib/dataflow/sources/install/{multer1.js → multer.js} RENAMED
@@ -67,10 +67,10 @@ module.exports = (core) => {
67
67
  }
68
68
  }
69
69
 
70
- const multer1Instrumentation = (core.assess.dataflow.sources.multer1Instrumentation = {
70
+ const multerInstrumentation = (core.assess.dataflow.sources.multerInstrumentation = {
71
71
  install() {
72
72
  depHooks.resolve(
73
- { name: 'multer', version: '<2', file: 'lib/make-middleware.js' },
73
+ { name: 'multer', version: '<3', file: 'lib/make-middleware.js' },
74
74
  (_export) => patcher.patch(_export, {
75
75
  name: 'multer._makeMiddleware',
76
76
  patchType,
@@ -92,5 +92,5 @@ module.exports = (core) => {
92
92
  },
93
93
  });
94
94
 
95
- return multer1Instrumentation;
95
+ return multerInstrumentation;
96
96
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/assess",
3
- "version": "1.71.1",
3
+ "version": "1.73.0",
4
4
  "description": "Contrast service providing framework-agnostic Assess support",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -28,11 +28,11 @@
28
28
  "@contrast/instrumentation": "1.42.2",
29
29
  "@contrast/logger": "1.36.2",
30
30
  "@contrast/patcher": "1.35.2",
31
- "@contrast/rewriter": "1.40.2",
32
- "@contrast/route-coverage": "1.56.2",
31
+ "@contrast/rewriter": "1.40.3",
32
+ "@contrast/route-coverage": "1.57.0",
33
33
  "@contrast/scopes": "1.33.2",
34
34
  "@contrast/sources": "1.9.2",
35
- "@contrast/stack-trace-factory": "1.3.2",
35
+ "@contrast/stack-trace-factory": "1.3.3",
36
36
  "semver": "7.6.0"
37
37
  }
38
38
  }