@contrast/assess 1.72.0 → 1.73.0

package/lib/dataflow/propagation/install/JSON/parse.js

@@ -59,7 +59,7 @@ module.exports = function (core) {
     const method = 'JSON.parse';
     const eventArgs = [
       {
-        value: data.args[0],
+        value: strInfo.value,
         tracked: true,
       },
       reviver && {
@@ -88,7 +88,6 @@ module.exports = function (core) {
         value,
         tracked: true,
       },
-      value,
       tags: newTags,
       stacktraceOpts: {
         constructorOpt: data.hooked,

package/lib/dataflow/sinks/install/sqlite3.js

@@ -57,7 +57,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  const pre = (name, method) => (data) => {
+  const pre = (moduleName, method) => (data, info) => {
     if (
       !getSinkContext(ruleId) ||
       !data.args[0] ||
@@ -70,16 +70,17 @@ module.exports = function(core) {
       return;
     }
 
+    const methodName = `Database.prototype.${method}`;
     const event = createSinkEvent({
-      name,
-      moduleName: 'sqlite3',
-      methodName: `Database.prototype.${method}`,
+      name: `${moduleName}.${methodName}`,
+      moduleName,
+      methodName,
       get context() {
         return `db.${method}('${strInfo.value}')`;
       },
       history: [strInfo],
       object: {
-        value: 'sqlite3.Database',
+        value: `${moduleName}.Database`,
         tracked: false,
       },
       args: [
@@ -106,13 +107,25 @@ module.exports = function(core) {
 
   core.assess.dataflow.sinks.sqlite3 = {
     install() {
+
+      depHooks.resolve({ name: 'better-sqlite3', version: '<13'}, betterSqlite3 => {
+        ['exec', 'prepare'].forEach((method) => {
+          const name = `better-sqlite3.prototype.${method}`;
+          patcher.patch(betterSqlite3.prototype, method, {
+            name,
+            patchType,
+            pre: pre('better-sqlite3', method)
+          });
+        });
+      });
+
       depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
         ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
           const name = `sqlite3.Database.prototype.${method}`;
           patcher.patch(sqlite3.Database.prototype, method, {
             name,
             patchType,
-            pre: pre(name, method)
+            pre: pre('sqlite3', method)
           });
         });
       });

package/lib/dataflow/sources/index.js

@@ -35,7 +35,7 @@ module.exports = function (core) {
   require('./install/http')(core);
   require('./install/qs6')(core);
   require('./install/querystring')(core);
-  require('./install/multer1')(core);
+  require('./install/multer')(core);
   core.initComponentSync(require('./install/socket.io'));
 
   sources.install = function install() {

package/lib/dataflow/sources/install/{multer1.js → multer.js}

@@ -67,10 +67,10 @@ module.exports = (core) => {
     }
   }
 
-  const multer1Instrumentation = (core.assess.dataflow.sources.multer1Instrumentation = {
+  const multerInstrumentation = (core.assess.dataflow.sources.multerInstrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'multer', version: '<2', file: 'lib/make-middleware.js' },
+        { name: 'multer', version: '<3', file: 'lib/make-middleware.js' },
         (_export) => patcher.patch(_export, {
           name: 'multer._makeMiddleware',
           patchType,
@@ -92,5 +92,5 @@ module.exports = (core) => {
     },
   });
 
-  return multer1Instrumentation;
+  return multerInstrumentation;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.72.0",
+  "version": "1.73.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",