npm - @contrast/assess - Versions diffs - 1.74.0 → 1.76.0 - Mend

@contrast/assess 1.74.0 → 1.76.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/dataflow/propagation/index.js +1 -0
package/lib/dataflow/propagation/install/sanitize-html.js +100 -0
package/lib/dataflow/propagation/install/util-format.js +2 -0
package/lib/dataflow/sinks/install/mongodb.js +1 -1
package/lib/dataflow/sinks/install/sqlite3.js +12 -1
package/lib/dataflow/sources/install/fastify/fastify.js +48 -41
package/package.json +12 -12

package/lib/dataflow/propagation/index.js CHANGED Viewed

@@ -41,6 +41,7 @@ module.exports = function(core) {
   require('./install/mysql-connection-escape')(core);
   require('./install/parse-int')(core);
   require('./install/pug-runtime-escape')(core);
+  core.initComponentSync(require('./install/sanitize-html'));
   require('./install/sql-template-strings')(core);
   require('./install/unescape')(core);
   require('./install/querystring')(core);

package/lib/dataflow/propagation/install/sanitize-html.js ADDED Viewed

@@ -0,0 +1,100 @@
+/*
+ * Copyright: 2026 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const {
+  primordials: { StringPrototypeSubstr },
+  DataflowTag: { CUSTOM_VALIDATED_REFLECTED_XSS } } = require('@contrast/common');
+const { kComponentName, ComponentBase } = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+const COMPONENT_NAME = 'assess.dataflow.propagation.sanitizeHtml';
+module.exports = class extends ComponentBase {
+  static [kComponentName] = COMPONENT_NAME;
+  install() {
+    const {
+      patcher,
+      depHooks,
+      assess: {
+        getPropagatorContext,
+        eventFactory: { createPropagationEvent },
+        dataflow: { tracker }
+      }
+    } = this.core;
+    depHooks.resolve({ name: 'sanitize-html', version: '<3' }, (sanitizeHtml) => {
+      const name = 'sanitize-html';
+      return patcher.patch(sanitizeHtml, {
+        name,
+        patchType,
+        usePerf: 'sync',
+        post(data) {
+          const { args, result, hooked } = data;
+          if (!result || !args[0] || !getPropagatorContext()) return;
+          const argInfo = tracker.getData(args[0]);
+          if (!argInfo) return;
+          const resultInfo = tracker.getData(result);
+          if (!resultInfo) return;
+          const history = [{ ...argInfo }];
+          const newTags = {
+            ...resultInfo.tags,
+            CUSTOM_VALIDATED_REFLECTED_XSS: [0, result.length - 1]
+          };
+          const truncatedArg = argInfo.value.length > 100 ?
+            StringPrototypeSubstr.call(argInfo.value, 0, 100) :
+            argInfo.value;
+          const event = createPropagationEvent({
+            name,
+            moduleName: name,
+            methodName: '',
+            get context() {
+              return `sanitizeHtml(${truncatedArg})`;
+            },
+            object: {
+              value: name,
+              tracked: false
+            },
+            result: {
+              value: resultInfo ? resultInfo.value : result,
+              tracked: !!resultInfo,
+            },
+            args: [{ value: truncatedArg, tracked: true }],
+            tags: newTags,
+            history,
+            source: 'P',
+            target: 'R',
+            addedTags: [CUSTOM_VALIDATED_REFLECTED_XSS],
+            stacktraceOpts: {
+              constructorOpt: hooked,
+            },
+          });
+          if (!event) return;
+          if (resultInfo) {
+            Object.assign(resultInfo, event);
+          }
+        }
+      });
+    });
+  }
+};

package/lib/dataflow/propagation/install/util-format.js CHANGED Viewed

@@ -132,6 +132,8 @@ module.exports = function(core) {
               }
             }
+            if (history.length == 0) return;
             const resultInfo = tracker.getData(result);
             const event = createPropagationEvent({
               name,

package/lib/dataflow/sinks/install/mongodb.js CHANGED Viewed

@@ -373,7 +373,7 @@ module.exports = function (core) {
   }
   instr.install = function () {
-    depHooks.resolve({ name: 'mongodb', version: '<7' }, (mongodb, meta) => {
+    depHooks.resolve({ name: 'mongodb', version: '<8' }, (mongodb, meta) => {
       if (!mongodb.Collection || !mongodb.Db) {
         meta.rerun();
         return;

package/lib/dataflow/sinks/install/sqlite3.js CHANGED Viewed

@@ -107,7 +107,18 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.sqlite3 = {
     install() {
-      depHooks.resolve({ name: 'better-sqlite3', version: '<13'}, betterSqlite3 => {
+      depHooks.resolve({ name: 'node:sqlite', version: '*' }, nodeSqlite => {
+        ['exec', 'prepare'].forEach((method) => {
+          const name = `nodeSqlite.DatabaseSync.prototype.${method}`;
+          patcher.patch(nodeSqlite.DatabaseSync.prototype, method, {
+            name,
+            patchType,
+            pre: pre('node:sqlite', method)
+          });
+        });
+      });
+      depHooks.resolve({ name: 'better-sqlite3', version: '<13' }, betterSqlite3 => {
         ['exec', 'prepare'].forEach((method) => {
           const name = `better-sqlite3.prototype.${method}`;
           patcher.patch(betterSqlite3.prototype, method, {

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -31,53 +31,60 @@ module.exports = function (core) {
   const source = sources.fastifyInstrumentation.fastify = {
     install() {
-      depHooks.resolve({ name: 'fastify', version: '>=4 <6' }, (fastify) => patcher.patch(fastify, {
-        name: 'fastify.constructor',
-        patchType,
-        post({ result: server, funcKey }) {
-          server.addHook('preValidation', function preValidationHandler(request, reply, done) {
-            // todo(NODE-3793): support for @fastify/websocket
-            if (request.constructor.name == 'WebSocket') return;
+      depHooks.resolve({ name: 'fastify', version: '>=4 <6' }, (fastify) => {
+        const patched = patcher.patch(fastify, {
+          name: 'fastify.constructor',
+          patchType,
+          post({ result: server, funcKey }) {
+            server.addHook('preValidation', function preValidationHandler(request, reply, done) {
+              // todo(NODE-3793): support for @fastify/websocket
+              if (request.constructor.name == 'WebSocket') return;
-            const sourceContext = getSourceContext();
-            if (!sourceContext) return done();
+              const sourceContext = getSourceContext();
+              if (!sourceContext) return done();
-            const bodyType = request?.headers?.['content-type']?.includes('/json')
-              ? InputType.JSON_VALUE
-              : typeof request.body == 'object'
-                ? InputType.PARAMETER_VALUE
-                : InputType.BODY;
+              const bodyType = request?.headers?.['content-type']?.includes('/json')
+                ? InputType.JSON_VALUE
+                : typeof request.body == 'object'
+                  ? InputType.PARAMETER_VALUE
+                  : InputType.BODY;
-            [
-              { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },
-              { key: 'params', inputType: InputType.URL_PARAMETER, alreadyTrackedFlag: 'parsedParams' },
-              { key: 'body', inputType: bodyType, alreadyTrackedFlag: 'parsedBody' }
-            ].forEach(({ key, inputType, alreadyTrackedFlag }) => {
-              if (sourceContext[alreadyTrackedFlag]) {
-                logger.trace({ inputType, funcKey }, 'values already tracked');
-                return;
-              }
+              [
+                { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },
+                { key: 'params', inputType: InputType.URL_PARAMETER, alreadyTrackedFlag: 'parsedParams' },
+                { key: 'body', inputType: bodyType, alreadyTrackedFlag: 'parsedBody' }
+              ].forEach(({ key, inputType, alreadyTrackedFlag }) => {
+                if (sourceContext[alreadyTrackedFlag]) {
+                  logger.trace({ inputType, funcKey }, 'values already tracked');
+                  return;
+                }
-              try {
-                sources.handle({
-                  context: `req.${key}`,
-                  data: request[key],
-                  inputType,
-                  name: 'fastify.preValidation',
-                  stacktraceOpts: {
-                    constructorOpt: preValidationHandler,
-                  },
-                  sourceContext
-                });
-              } catch (err) {
-                logger.error({ err, inputType, funcKey }, 'unable to handle Fastify source');
-              }
+                try {
+                  sources.handle({
+                    context: `req.${key}`,
+                    data: request[key],
+                    inputType,
+                    name: 'fastify.preValidation',
+                    stacktraceOpts: {
+                      constructorOpt: preValidationHandler,
+                    },
+                    sourceContext
+                  });
+                } catch (err) {
+                  logger.error({ err, inputType, funcKey }, 'unable to handle Fastify source');
+                }
+              });
+              return done();
             });
+          },
+        });
+        fastify.fastify = patched;
+        fastify.default = patched;
-            return done();
-          });
-        },
-      }));
+        return patched;
+      });
     }
   };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.74.0",
+  "version": "1.76.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,18 +21,18 @@
   },
   "dependencies": {
     "@contrast/common": "1.41.1",
-    "@contrast/config": "1.58.2",
-    "@contrast/core": "1.63.2",
-    "@contrast/dep-hooks": "1.32.2",
+    "@contrast/config": "1.59.0",
+    "@contrast/core": "1.64.0",
+    "@contrast/dep-hooks": "1.33.0",
     "@contrast/distringuish": "6.0.2",
-    "@contrast/instrumentation": "1.42.2",
-    "@contrast/logger": "1.36.2",
-    "@contrast/patcher": "1.35.2",
-    "@contrast/rewriter": "1.40.3",
-    "@contrast/route-coverage": "1.57.1",
-    "@contrast/scopes": "1.33.2",
-    "@contrast/sources": "1.9.2",
-    "@contrast/stack-trace-factory": "1.4.0",
+    "@contrast/instrumentation": "1.43.0",
+    "@contrast/logger": "1.37.0",
+    "@contrast/patcher": "1.36.0",
+    "@contrast/rewriter": "1.41.0",
+    "@contrast/route-coverage": "1.58.0",
+    "@contrast/scopes": "1.34.0",
+    "@contrast/sources": "1.10.0",
+    "@contrast/stack-trace-factory": "1.5.0",
     "semver": "7.6.0"
   }
 }