@contrast/core 1.50.0 → 1.52.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/ioc/core.js
CHANGED
|
@@ -38,7 +38,8 @@ class Core {
|
|
|
38
38
|
Object.assign(this, { ...initData });
|
|
39
39
|
|
|
40
40
|
if (process.env.CONTRAST_EXT_PATH) {
|
|
41
|
-
require(
|
|
41
|
+
const path = require('path');
|
|
42
|
+
require(path.resolve(process.env.CONTRAST_EXT_PATH))(this);
|
|
42
43
|
}
|
|
43
44
|
|
|
44
45
|
this.messages.on('ext:core.init', (fullName) => {
|
|
@@ -31,13 +31,14 @@ module.exports = function(core) {
|
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
33
|
|
|
34
|
-
function traverseAndMask(target) {
|
|
34
|
+
function traverseAndMask(target, unmasked) {
|
|
35
35
|
let redactedText;
|
|
36
36
|
if (!target) return;
|
|
37
37
|
|
|
38
38
|
traverseKeys(target, (path, type, value, obj) => {
|
|
39
39
|
redactedText = getRedactedText(value);
|
|
40
40
|
if (redactedText) {
|
|
41
|
+
if (unmasked) unmasked.add(obj[value]);
|
|
41
42
|
obj[value] = redactedText;
|
|
42
43
|
redactedText = undefined;
|
|
43
44
|
}
|
|
@@ -34,14 +34,15 @@ module.exports = function (core) {
|
|
|
34
34
|
|
|
35
35
|
logger.trace('masking sensitive fields in %s message', Event.PROTECT);
|
|
36
36
|
|
|
37
|
+
const unmasked = policy.maskAttackVector ? new Set() : undefined;
|
|
37
38
|
if (policy.maskHttpBody) {
|
|
38
39
|
msg.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
|
|
39
40
|
} else {
|
|
40
|
-
traverseAndMask(msg.protect?.parsedBody);
|
|
41
|
+
traverseAndMask(msg.protect?.parsedBody, unmasked);
|
|
41
42
|
}
|
|
42
43
|
|
|
43
|
-
traverseAndMask(msg.protect?.parsedCookies);
|
|
44
|
-
traverseAndMask(msg.protect?.parsedQuery);
|
|
44
|
+
traverseAndMask(msg.protect?.parsedCookies, unmasked);
|
|
45
|
+
traverseAndMask(msg.protect?.parsedQuery, unmasked);
|
|
45
46
|
|
|
46
47
|
// Do parsed URL path params and urlPath together
|
|
47
48
|
const params = msg.protect?.parsedParams;
|
|
@@ -89,6 +90,17 @@ module.exports = function (core) {
|
|
|
89
90
|
for (const [, results] of inputAnalysis) {
|
|
90
91
|
for (const result of results) {
|
|
91
92
|
const redactedText = getRedactedText(result.key);
|
|
93
|
+
if (result.exploitMetadata.length) {
|
|
94
|
+
result.exploitMetadata.forEach((exploit) => {
|
|
95
|
+
unmasked.forEach((val) => {
|
|
96
|
+
exploit.sinkContext.value = StringPrototypeReplace.call(
|
|
97
|
+
exploit.sinkContext.value,
|
|
98
|
+
val,
|
|
99
|
+
'contrast-redacted-vector'
|
|
100
|
+
);
|
|
101
|
+
});
|
|
102
|
+
});
|
|
103
|
+
}
|
|
92
104
|
if (redactedText) {
|
|
93
105
|
result.value = redactedText;
|
|
94
106
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@contrast/core",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.52.0",
|
|
4
4
|
"description": "Preconfigured Contrast agent core services and models",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
|
|
@@ -20,11 +20,11 @@
|
|
|
20
20
|
},
|
|
21
21
|
"dependencies": {
|
|
22
22
|
"@contrast/common": "1.32.0",
|
|
23
|
-
"@contrast/config": "1.
|
|
23
|
+
"@contrast/config": "1.47.0",
|
|
24
24
|
"@contrast/find-package-json": "^1.1.0",
|
|
25
25
|
"@contrast/fn-inspect": "^4.3.0",
|
|
26
|
-
"@contrast/logger": "1.
|
|
27
|
-
"@contrast/patcher": "1.
|
|
26
|
+
"@contrast/logger": "1.25.0",
|
|
27
|
+
"@contrast/patcher": "1.24.0",
|
|
28
28
|
"@contrast/perf": "1.3.1",
|
|
29
29
|
"@tsxper/crc32": "^2.1.3",
|
|
30
30
|
"axios": "^1.7.4",
|