npm - @contrast/assess - Versions diffs - 1.9.0 → 1.11.0 - Mend

@contrast/assess 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/lib/dataflow/utils/is-safe-content-type.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/dataflow/utils/is-vulnerable.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -15,6 +15,12 @@
 'use strict';
+const {
+  toLowerCase,
+  stringify,
+  substring,
+  ResponseScanningRule
+} = require('@contrast/common');
 const {
   escapeHtml,
   isHtmlContent,
@@ -26,7 +32,6 @@ const {
   getCspHeaders,
   checkCspSources
 } = require('./utils');
-const { toLowerCase, substring, ResponseScanningRule } = require('@contrast/common');
 module.exports = function(core) {
   const {
@@ -106,7 +111,7 @@ module.exports = function(core) {
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CACHE_CONTROLS_MISSING,
         vulnerabilityMetadata: {
-          data: JSON.stringify(instructions)
+          data: stringify(instructions)
         }
       });
     }
@@ -176,7 +181,10 @@ module.exports = function(core) {
       delete vulnerabilityMetadata.referrerSecure;
       delete vulnerabilityMetadata.referrerValue;
-      reportFindings(sourceContext, { ruleId: ResponseScanningRule.CSP_HEADER_INSECURE, vulnerabilityMetadata });
+      reportFindings(sourceContext, {
+        ruleId: ResponseScanningRule.CSP_HEADER_INSECURE,
+        vulnerabilityMetadata: { data: JSON.stringify(vulnerabilityMetadata) }
+      });
     }
   };
@@ -210,7 +218,27 @@ module.exports = function(core) {
     }
   };
-  responseScanning.handlePoweredByHeader = function(sourceContext, { responseHeaders }) {
+  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
+    const headerName = 'x-content-type-options';
+    let header = responseHeaders[headerName];
+    if (header) {
+      header = toLowerCase(header);
+      if (header === 'nosniff') {
+        return;
+      }
+    }
+    reportFindings(sourceContext, {
+      ruleId: ResponseScanningRule.XCONTENTTYPE_HEADER_MISSING,
+      vulnerabilityMetadata: {
+        data: header || ''
+      }
+    });
+  };
+  // NODE-3135
+  responseScanning.handleXPoweredByHeader = function(sourceContext, { responseHeaders }) {
     const headerName = 'x-powered-by';
     let header = responseHeaders[headerName];
@@ -226,7 +254,7 @@ module.exports = function(core) {
       ];
       reportFindings(sourceContext, {
-        ruleId: ResponseScanningRule.POWERED_BY_HEADER,
+        ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
         vulnerabilityMetadata: {
           data: JSON.stringify(instructions)
         }
@@ -234,37 +262,15 @@ module.exports = function(core) {
     }
   };
-  responseScanning.handleXContentTypeHeaderMissing = function(sourceContext, { responseHeaders }) {
-    const headerName = 'x-content-type-options';
-    let header = responseHeaders[headerName];
-    if (header) {
-      header = toLowerCase(header);
-      if (header === 'nosniff') {
-        return;
-      }
-    }
-    reportFindings(sourceContext, {
-      ruleId: ResponseScanningRule.XCONTENTTYPE_HEADER_MISSING,
-      vulnerabilityMetadata: {
-        data: header || ''
-      }
-    });
-  };
   responseScanning.handleXxsProtectionHeaderDisabled = function(sourceContext, { responseHeaders }) {
     const header = responseHeaders['x-xss-protection'];
-    // This header is set by default, so `header` should always be present.
-    if (header && header.startsWith('1')) {
-      return;
-    }
+    if (header?.startsWith?.('1')) return;
     reportFindings(sourceContext, {
       ruleId: ResponseScanningRule.XXSPROTECTION_HEADER_DISABLED,
       vulnerabilityMetadata: {
-        data: header
+        data: header,
       }
     });
   };

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial
@@ -30,7 +30,7 @@ module.exports = function(core) {
         handleParameterPollution,
         handleCspHeader,
         handleHstsHeaderMissing,
-        handlePoweredByHeader,
+        handleXPoweredByHeader,
         handleXContentTypeHeaderMissing,
         handleXxsProtectionHeaderDisabled,
       }
@@ -76,7 +76,7 @@ module.exports = function(core) {
     handleParameterPollution(sourceContext, evaluationContext);
     handleCspHeader(sourceContext, evaluationContext);
     handleHstsHeaderMissing(sourceContext, evaluationContext);
-    handlePoweredByHeader(sourceContext, evaluationContext);
+    handleXPoweredByHeader(sourceContext, evaluationContext);
     handleXContentTypeHeaderMissing(sourceContext, evaluationContext);
     handleXxsProtectionHeaderDisabled(sourceContext, evaluationContext);
   }

package/lib/session-configuration/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/lib/session-configuration/install/http.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*
- * Copyright: 2022 Contrast Security, Inc
+ * Copyright: 2023 Contrast Security, Inc
  * Contact: support@contrastsecurity.com
  * License: Commercial

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.9.0",
+  "version": "1.11.0",
   "description": "",
   "main": "lib/index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   "dependencies": {
     "@contrast/distringuish": "^4.1.0",
     "@contrast/scopes": "1.4.0",
-    "@contrast/common": "1.12.0",
+    "@contrast/common": "1.14.0",
     "parseurl": "^1.3.3"
   }
 }