npm - @contrast/core - Versions diffs - 1.56.0 → 1.57.0 - Mend

@contrast/core 1.56.0 → 1.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/index.d.ts +17 -1
package/lib/sensitive-data-masking/index.js +33 -5
package/package.json +5 -5
package/lib/sensitive-data-masking/protect-listener.js +0 -111

package/lib/index.d.ts CHANGED Viewed

@@ -44,9 +44,25 @@ export interface Core {
   messages: Messages;
-  sensitiveDataMasking: any;
+  sensitiveDataMasking: SensitiveDataMasking;
   getSystemInfo(): Promise<SystemInfo>;
   getBuildId(): Promse<number | void>;
   Perf: any;
 }
+export interface SensitiveDataMasking {
+  policy: any;
+  idMap: Map<Set, string>;
+  keywordSets: Set<string>[];
+  maskHttpBody: boolean;
+  maskAttackVector: boolean;
+  createMasker(): Masker;
+  getRedactedText(key: string, value: string): string;
+  traverseAndMask(target: Record<string, string>, p: Masker | Set<string>): void;
+}
+export interface Masker {
+  unmasked?: Set<string>;
+  getMaskedValue(key: string, value: string): string;
+}

package/lib/sensitive-data-masking/index.js CHANGED Viewed

@@ -22,29 +22,44 @@ module.exports = function(core) {
   const idMap = new Map();
   const keywordSets = [];
-  function getRedactedText(key) {
+  function getRedactedText(key, value) {
     key = StringPrototypeToLowerCase.call(key);
     for (const set of keywordSets) {
       if (set.has(key)) {
         return `${CONTRAST_REDACTED}-${idMap.get(set)}`;
       }
     }
+    return value;
   }
-  function traverseAndMask(target, unmasked) {
+  function traverseAndMask1(target, unmasked) {
     let redactedText;
     if (!target) return;
     traverseKeys(target, (path, type, value, obj) => {
       redactedText = getRedactedText(value);
       if (redactedText) {
-        if (unmasked) unmasked.add(obj[value]);
+        unmasked?.add?.(obj[value]);
         obj[value] = redactedText;
         redactedText = undefined;
       }
     });
   }
+  function traverseAndMask2(target, masker) {
+    if (!target) return;
+    traverseKeys(target, (path, type, key, obj) => {
+      obj[key] = masker.getMaskedValue(key, obj[key]);
+    });
+  }
+  function traverseAndMask(target, param) {
+    if (param instanceof Masker) {
+      return traverseAndMask2(target, param);
+    }
+    return traverseAndMask1(target, param);
+  }
   const sensitiveDataMasking = core.sensitiveDataMasking = {
     policy: {
       idMap,
@@ -53,11 +68,24 @@ module.exports = function(core) {
       maskAttackVector: false,
     },
     getRedactedText,
-    traverseAndMask
+    traverseAndMask,
+    createMasker() {
+      return new Masker();
+    },
   };
+  class Masker {
+    getMaskedValue(key, value) {
+      const redacted = getRedactedText(key, value);
+      if (value !== redacted) {
+        !this.unmasked && (this.unmasked = new Set());
+        this.unmasked.add(value);
+      }
+      return redacted;
+    }
+  }
   require('./server-settings-listener')(core);
-  require('./protect-listener')(core);
   return sensitiveDataMasking;
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.56.0",
+  "version": "1.57.0",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,12 +19,12 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.36.0",
-    "@contrast/config": "1.51.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/config": "1.52.0",
     "@contrast/find-package-json": "^1.1.0",
     "@contrast/fn-inspect": "^5.0.2",
-    "@contrast/logger": "1.29.0",
-    "@contrast/patcher": "1.28.0",
+    "@contrast/logger": "1.30.0",
+    "@contrast/patcher": "1.29.0",
     "@contrast/perf": "1.4.0",
     "@tsxper/crc32": "^2.1.3",
     "axios": "^1.11.0",

package/lib/sensitive-data-masking/protect-listener.js DELETED Viewed

@@ -1,111 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-const { URLSearchParams } = require('url');
-const { Event, primordials: { StringPrototypeReplace } } = require('@contrast/common');
-const { CONTRAST_REDACTED } = require('./constants');
-module.exports = function (core) {
-  const {
-    messages,
-    logger,
-    sensitiveDataMasking: { policy, getRedactedText, traverseAndMask },
-  } = core;
-  messages.on(Event.PROTECT, (store) => {
-    if (!store.protect || !policy.keywordSets.length || !store.sourceInfo) {
-      return;
-    }
-    logger.trace('masking sensitive fields in %s message', Event.PROTECT);
-    const unmasked = policy.maskAttackVector ? new Set() : undefined;
-    if (policy.maskHttpBody) {
-      store.protect.parsedBody = `${CONTRAST_REDACTED}-body`;
-    } else {
-      traverseAndMask(store.protect?.parsedBody, unmasked);
-    }
-    traverseAndMask(store.protect?.parsedCookies, unmasked);
-    traverseAndMask(store.protect?.parsedQuery, unmasked);
-    // Do parsed URL path params and urlPath together
-    const params = store.protect?.parsedParams;
-    if (params) {
-      for (const [key, value] of Object.entries(params)) {
-        const redactedText = getRedactedText(key);
-        if (redactedText) {
-          const encoded = encodeURIComponent(value);
-          store.sourceInfo.uriPath = StringPrototypeReplace.call(
-            store.sourceInfo.uriPath,
-            encoded,
-            redactedText
-          );
-          store.protect.parsedParams[key] = redactedText;
-        }
-      }
-    }
-    // raw headers
-    const headers = store.sourceInfo.rawHeaders;
-    for (let i = 0; i <= headers.length - 2; i += 2) {
-      const key = headers[i];
-      const redactedText = getRedactedText(key);
-      if (redactedText) {
-        headers[i + 1] = redactedText;
-      }
-    }
-    // raw queries
-    if (store.sourceInfo?.queries) {
-      const searchParams = new URLSearchParams(store.sourceInfo.queries);
-      for (const [key] of searchParams) {
-        const redactedText = getRedactedText(key);
-        if (redactedText) {
-          searchParams.set(key, redactedText);
-        }
-      }
-      store.sourceInfo.queries = searchParams.toString();
-    }
-    if (policy.maskAttackVector) {
-      // attack values
-      const inputAnalysis = Object.entries(store.protect?.resultsMap);
-      for (const [, results] of inputAnalysis) {
-        for (const result of results) {
-          const redactedText = getRedactedText(result.key);
-          if (result.exploitMetadata.length) {
-            result.exploitMetadata.forEach((exploit) => {
-              unmasked.forEach((val) => {
-                exploit.sinkContext.value = StringPrototypeReplace.call(
-                  exploit.sinkContext.value,
-                  val,
-                  'contrast-redacted-vector'
-                );
-              });
-            });
-          }
-          if (redactedText) {
-            result.value = redactedText;
-          }
-        }
-      }
-    }
-  });
-};